Workspace ONE Intelligence Integration Update
Posted on September 3, 2021
Since VMware’s acquisition of Carbon Black, Carbon Black Cloud and Workspace ONE Intelligence have been working on updating the existing integration to be more seamless, building towards the vision of Intrinsic Security.
Soon, customers who have enabled the Carbon Black Cloud to Workspace ONE Intelligence integration will be migrated to a new integration experience.
When is this happening?
Update: The date of migration is yet to be determined. We were previously targeting September 20th 2021, however this has been delayed.
What are the benefits of the updated integration?
In the spirit of Intrinsic Security, the updated integration is built in, not bolted on; it more closely connects VMware Carbon Black Cloud and Workspace ONE Intelligence.
The initial rollout will provide you with the same experience as you have today, but we’ve made changes under the hood to make the integration faster and more reliable. It’s also more flexible to support additional enhancements such as additional data sources and SOAR workflows in future releases.
Instead of using the Notifications API, Workspace ONE will provision a Carbon Black Cloud Data Forwarder, which will stream your Carbon Black Cloud alerts directly to Workspace ONE Intelligence.
Where do I go with questions?
Head over to the Carbon Black Cloud User Exchange
What changes will I see in the Carbon Black Cloud console?
- Under
Settings->API Access, you’ll find a new API key with the name and Access Level of “VMWare Workspace ONE Intelligence”. - If you list your active Data Forwarder instances, there will be one of each type alert and endpoint.event that follow the naming convention
ws1-{environment}-carbonblack-{type}-{orgKey}, for examplews1-na1-carbonblack-alert-ABCD1234
What changes will I see in the Workspace ONE Intelligence console?
-
Customers who already have the integration configured will be automatically migrated to the new experience.
-
You’ll receive an updated copy of the alert in Workspace ONE Intelligence if Carbon Black Cloud learns more about the threat. The original alert will be tagged with a Threat Status of
Detectedand updates with Threat Status ofUpdated. If you have custom widgets in Workspace ONE Intelligence, consider adding the filterThreat Status <Not Equals> Updated. -
If you need to update your integration configuration: under Integrations, find the
Carbon Blackcard and clickSET UP. You’ll see a new set of fields that need to be provided to configure the integration:-
Base URL: Enter the API endpoint URL for your Carbon Black Cloud instance so that Workspace ONE Intelligence can access it. For example,
https://defense-prod05.conferdeploy.net -
API ID: This is available in the Carbon Black Cloud console, underSettings->API Access. Enter the value for the key that gives Workspace ONE Intelligence permission to authenticate with your Carbon Black Cloud instance. It should use the pre-created Access LevelVMware Workspace ONE Intelligenceor a custom Access Level with the permissions specified below. -
API Secret Key: Enter the value that is paired with the API ID above. -
Org Key: Enter the value shown in your Carbon Black Cloud console. This uniquely identifies your Carbon Black Cloud tenant. The string is 8 alphanumeric characters.
-
Which RBAC Permissions will the VMWare Workspace ONE Intelligence Access Level have?
| Permission Name | Actions | Reason |
|---|---|---|
| event-forwarder.settings | CREATE, READ, UPDATE, DELETE | Workspace ONE will create and manage forwarders on your behalf to stream alert data into Workspace ONE Intelligence |
| org.search.events | CREATE, READ | Future capabilities: Search Carbon Black Cloud for additional context about an alert |
| device (General Information) | READ | Future capabilities: Get information about a specific endpoint |
| device.quarantine | EXECUTE | Future capabilities: Automatically quarantine an endpoint from WS1 |
| org.alerts.dismiss | EXECUTE | Future capabilities: Dismiss a Carbon Black Cloud alert from WS1 |
| org.alerts.notes | CREATE | Future capabilities: Add context to a Carbon Black Cloud alert from WS1 |