Workspace ONE Intelligence Integration Update

Posted on September 3, 2021


Since VMware’s acquisition of Carbon Black, Carbon Black Cloud and Workspace ONE Intelligence have been working on updating the existing integration to be more seamless, building towards the vision of Intrinsic Security.

Soon, customers who have enabled the Carbon Black Cloud to Workspace ONE Intelligence integration will be migrated to a new integration experience.

When is this happening?

Customers who have the existing Carbon Black Cloud and Workspace ONE Intelligence integration enabled will be migrated on September 20th.

What are the benefits of the updated integration?

In the spirit of Intrinsic Security, the updated integration is built in, not bolted on; it more closely connects VMware Carbon Black Cloud and Workspace ONE Intelligence.

The initial rollout will provide you with the same experience as you have today, but we’ve made changes under the hood to make the integration faster and more reliable. It’s also more flexible to support additional enhancements such as additional data sources and SOAR workflows in future releases.

Instead of using the Notifications API, Workspace ONE will provision a Carbon Black Cloud Data Forwarder, which will stream your Carbon Black Cloud alerts directly to Workspace ONE Intelligence.

Where do I go with questions?

Head over to the Carbon Black Cloud User Exchange

What changes will I see in the Carbon Black Cloud console?
  • Under Settings -> API Access, you’ll find a new API key with the name and Access Level of “VMWare Workspace ONE Intelligence”.
  • If you list your active Data Forwarder instances, there will be one of each type alert and endpoint.event that follow the naming convention ws1-{environment}-carbonblack-{type}-{orgKey}, for example ws1-na1-carbonblack-alert-ABCD1234
What changes will I see in the Workspace ONE Intelligence console?
  • Customers who already have the integration configured will be automatically migrated to the new experience.

  • You’ll receive an updated copy of the alert in Workspace ONE Intelligence if Carbon Black Cloud learns more about the threat. The original alert will be tagged with a Threat Status of Detected and updates with Threat Status of Updated. If you have custom widgets in Workspace ONE Intelligence, consider adding the filter Threat Status <Not Equals> Updated.

  • If you need to update your integration configuration: under Integrations, find the Carbon Black card and click SET UP. You’ll see a new set of fields that need to be provided to configure the integration:

    • Base URL: Enter the API endpoint URL for your Carbon Black Cloud instance so that Workspace ONE Intelligence can access it. For example, https://defense-prod05.conferdeploy.net

    • API ID: This is available in the Carbon Black Cloud console, under Settings -> API Access. Enter the value for the key that gives Workspace ONE Intelligence permission to authenticate with your Carbon Black Cloud instance. It should use the pre-created Access Level VMware Workspace ONE Intelligence or a custom Access Level with the permissions specified below.

    • API Secret Key: Enter the value that is paired with the API ID above.

    • Org Key: Enter the value shown in your Carbon Black Cloud console. This uniquely identifies your Carbon Black Cloud tenant. The string is 8 alphanumeric characters.

Which RBAC Permissions will the VMWare Workspace ONE Intelligence Access Level have?
Permission Name Actions Reason
event-forwarder.settings CREATE, READ, UPDATE, DELETE Workspace ONE will create and manage forwarders on your behalf to stream alert data into Workspace ONE Intelligence
org.search.events CREATE, READ Future capabilities: Search Carbon Black Cloud for additional context about an alert
device (General Information) READ Future capabilities: Get information about a specific endpoint
device.quarantine EXECUTE Future capabilities: Automatically quarantine an endpoint from WS1
org.alerts.dismiss EXECUTE Future capabilities: Dismiss a Carbon Black Cloud alert from WS1
org.alerts.notes CREATE Future capabilities: Add context to a Carbon Black Cloud alert from WS1