Carbon Black Cloud Platform Integrations

As of January 2020, we have renamed all Carbon Black products. API documentation will be updated in the coming months to reflect the new product names.

Integrations developed by Carbon Black all have similar installation instructions, unless otherwise specified.

Integrations may require an API URL, which is accessible through a special hostname assigned to your organization. To find your organization’s API hostname, please refer to the Authentication Guide.

Carbon Black Integration Network

Carbon Black partners with industry leaders to create integrated solutions helping you to achieve end-to-end protection across security systems. The Carbon Black Integration Network highlights our Partners and the solutions they have built using our Open APIs.

Members of the Carbon Black partner program can submit their products to Carbon Black for certification and promotion on our Integration Network. Learn more about the Carbon Black Partner Program here.

SIEM Connectors

These connectors allow users to send notifications or alerts into a SIEM like Splunk or QRadar.

Carbon Black Cloud Syslog Connector

The syslog connector lets administrators forward alert notifications and audit logs from their Carbon Black Cloud instance to local, on-premise systems, and:

  • Generates pipe-delimited syslog messages with alert metadata identified by the streaming prevention system
  • Aggregates data from one or more Carbon Black Cloud organizations into a single syslog stream
  • Can be configured to use UDP, TCP, or encrypted (TCP over TLS) syslog protocols



You can install the Syslog Connector using either PyPI or GitHub.

How to Automate the Carbon Black Cloud Syslog Connector

The syslog connector can be automated on all Platforms. Please select your desired Operating System for more information.

Sandbox Connectors

Zscaler Internet Access Sandbox Integration

The Zscaler integration is between Zscaler’s Internet Access (ZIA) Sandbox and Carbon Black Cloud Endpoint Standard or Enterprise EDR. Zscaler can scan all files before they reach the endpoint if they come through the network, but cannot scan files coming in from other methods, or prior to sensor installation.

This connector will scan for any Enterprise Standard events or Enterprise EDR processes. It pulls the processes, checks the unique hashes against a database of files that have been checked in the past, and if the file is not known, a request to Zscaler’s Sandbox is made to see if they have any information on it. If they do, or if the local database indicates the file is malicious, you can take one of the following actions:

  • Add to an Enterprise EDR Watchlist Feed
  • Pass the event and sandbox report to a webhook
  • Run a script
  • Isolate the endpoint
  • Move the endpoint into a policy


  • Carbon Black Cloud Endpoint Standard or Enterprise EDR
  • Proper licensing from Zscaler with Sandbox enabled

Getting Started

See the installation instructions on Github.

Last modified on May 20, 2020