Posted on September 3, 2021
Since VMware’s acquisition of Carbon Black, Carbon Black Cloud and Workspace ONE Intelligence have been working on updating the existing integration to be more seamless, building towards the vision of Intrinsic Security.
Soon, customers who have enabled the Carbon Black Cloud to Workspace ONE Intelligence integration will be migrated to a new integration experience.
Update: The date of migration is yet to be determined. We were previously targeting September 20th 2021, however this has been delayed.
In the spirit of Intrinsic Security, the updated integration is built in, not bolted on; it more closely connects VMware Carbon Black Cloud and Workspace ONE Intelligence.
The initial rollout will provide you with the same experience as you have today, but we’ve made changes under the hood to make the integration faster and more reliable. It’s also more flexible to support additional enhancements such as additional data sources and SOAR workflows in future releases.
Instead of using the Notifications API, Workspace ONE will provision a Carbon Black Cloud Data Forwarder, which will stream your Carbon Black Cloud alerts directly to Workspace ONE Intelligence.
Head over to the Carbon Black Cloud User Exchange
Settings -> API Access, you’ll find a new API key with the name and Access Level of “VMWare Workspace ONE Intelligence”.ws1-{environment}-carbonblack-{type}-{orgKey}, for example ws1-na1-carbonblack-alert-ABCD1234Customers who already have the integration configured will be automatically migrated to the new experience.
You’ll receive an updated copy of the alert in Workspace ONE Intelligence if Carbon Black Cloud learns more about the
threat. The original alert will be tagged with a Threat Status of Detected and updates with Threat Status of Updated.
If you have custom widgets in Workspace ONE Intelligence, consider adding the filter Threat Status <Not Equals> Updated.
If you need to update your integration configuration: under Integrations, find the Carbon Black card and click SET UP.
You’ll see a new set of fields that need to be provided to configure the integration:
Base URL: Enter the API endpoint URL for
your Carbon Black Cloud instance so that Workspace ONE Intelligence can access it.
For example, https://defense-prod05.conferdeploy.net
API ID: This is available in the Carbon Black Cloud console, under Settings -> API Access. Enter the value
for the key that gives Workspace ONE Intelligence permission to authenticate with your Carbon Black Cloud instance.
It should use the pre-created Access Level VMware Workspace ONE Intelligence or a custom Access Level with the
permissions specified below.
API Secret Key: Enter the value that is paired with the API ID above.
Org Key: Enter the value shown in your Carbon Black Cloud console. This uniquely identifies your Carbon Black Cloud
tenant. The string is 8 alphanumeric characters.
VMWare Workspace ONE Intelligence Access Level have?| Permission Name | Actions | Reason |
|---|---|---|
| event-forwarder.settings | CREATE, READ, UPDATE, DELETE | Workspace ONE will create and manage forwarders on your behalf to stream alert data into Workspace ONE Intelligence |
| org.search.events | CREATE, READ | Future capabilities: Search Carbon Black Cloud for additional context about an alert |
| device (General Information) | READ | Future capabilities: Get information about a specific endpoint |
| device.quarantine | EXECUTE | Future capabilities: Automatically quarantine an endpoint from WS1 |
| org.alerts.dismiss | EXECUTE | Future capabilities: Dismiss a Carbon Black Cloud alert from WS1 |
| org.alerts.notes | CREATE | Future capabilities: Add context to a Carbon Black Cloud alert from WS1 |