As of January 2020, CB Defense is now called Endpoint Standard. All documentation will be updated in the coming months to reflect our new product names.

Integrations developed by Carbon Black all have similar installation instructions, unless otherwise specified.

Integrations may require an API URL, which is accessible through a special hostname assigned to your organization. To find your organization’s API hostname, please refer to this KB article.

Carbon Black Integration Network

Carbon Black partners with industry leaders to create integrated solutions helping you to achieve end-to-end protection across security systems. The Carbon Black Integration Network highlights our Partners and the solutions they have built using our Open APIs.

Members of the Carbon Black partner program can submit their products to Carbon Black for certification and promotion on our Integration Network. Learn more about the Carbon Black Partner Program here.

SIEM Connectors

These connectors allow users to send notifications or alerts into a SIEM like Splunk or QRadar.

Carbon Black Cloud Syslog Connector

The syslog connector lets administrators forward alert notifications and audit logs from their Carbon Black Cloud instance to local, on-premise systems, and:

• Generates pipe-delimited syslog messages with alert metadata identified by the streaming prevention system
• Aggregates data from one or more Carbon Black Cloud organizations into a single syslog stream
• Can be configured to use UDP, TCP, or encrypted (TCP over TLS) syslog protocols

Helpful Links

• Updating PATH in a Windows Environment

Requirements

• CB Defense or CB ThreatHunter
• Python 2.7 running on a 64-bit Intel platform
• pip
• Jinja2
• MarkupSafe
• requests
• Flask
• psutil

Installation

You can install the Syslog Connector using either PyPI or GitHub.

How to Automate the Carbon Black Cloud Syslog Connector

The syslog connector can be automated on all Platforms. Please select your desired Operating System for more information.

• Unix (Linux/MacOS)
• Windows

CB Defense Splunk Add-On

The CB Defense Add-On for Splunk allows administrators to forward events and notifications from the industry’s leading NGAV solution into Splunk for correlation and analysis.

This Add-On is available via Splunkbase at https://splunkbase.splunk.com/app/3545/#/details. You will be able to install this Add-On via Splunkbase on both Splunk on-premise and Splunk Cloud.

Requirements

This app requires CB Defense and Splunk version 6.4 or above.

No additional hardware requirements are necessary for running this app above the standard requirements for both Carbon Black and Splunk.

Getting Started

Install CB Defense app for Splunk and configure it to connect to your CB Defense server. Do this by creating a CB Defense API Key and attaching it to one or more Notification Rules. To create a SIEM API Key and notification rule:

1. Log into your CB Defense Dashboard and select the Settings/API Keys menu option
2. Create a new key of “SIEM” access level and name it. Optionally, restrict access to this connector by IP address range
3. Select the Settings/Notifications menu option
4. Create a new Notification Rule and add your new SIEM connector to the list of notifiers. You can search by API Key name. The Notification Rule defines what alerts are sent to the SIEM. No events will be sent to Splunk if a notification rule isn’t linked to the SIEM connector.

Next, configure the CB Defense app for Splunk to connect to your CB Defense server:

1. Start the CB Defense App in Splunk
2. Go to the “Configuration” tab - “Add-On Settings” page and fill in the following fields:
   1. Enter the API hostname for your CB Defense instance in the URL field. Example: api-url.conferdeploy.net. Refer to: CB Defense API Basics.
   2. Set SIEM API ID to the API ID obtained from the Carbon Black Cloud Console. Do the same for your SIEM API Secret Key. Refer to: Carbon Black Cloud Authentication.
3. Go to the “Inputs” tab and click “Create new input” with the following settings:
   1. Set “name” to anything (for example “cbdefense”)
   2. Set “interval” to 60 seconds (the polling interval of the CB Defense notifications API)
   3. Set “index” to whatever Splunk index you’d like the app to place CB Defense events into

The CB Defense app for Splunk uses Splunk’s encrypted credential storage facility to store the API token for your CB Defense server, so the API key is stored securely on the Splunk server.