Skip to main content

Cloud ConnectorsExabeam Cloud Connectors Configuration Guide

Table of Contents

VMware Carbon Black Cloud Endpoint Standard Cloud Connector

VMware Carbon Black is a cloud native endpoint and workload protection platform. Endpoint Standard, formerly known as CB Defense, is VMware Carbon Black's anti-virus solution that helps to meet PCI DSS requirements. Endpoint Standard helps to monitor security, compliance, and operations, and prevents attacks. Additionally, it addresses potential endpoint infections and compromises in security. For more information visit their website.

Audit Source API and Security Event Support for the Carbon Black Endpoint Standard Cloud Connector

The following table displays audit source API and security events supported by the connector.

Audit Source: API

Service or Module Covered

Events

Now February 1, 2022 and later

VMware will deprecate the Event API (https://<yourhost>.conferdeploy.net/integrationServices/v3/event). 

VMware advised that the best option to replace the Events API is to use their event forwarder. This is the recommendation to retrieve the CB Defense (VMware Carbon Black Cloud Endpoint Standard) feed and the CB ThreatHunter (VMware Carbon Black Cloud Enterprise EDR) feed. For more information, see Set up the Event Forwarder to Collect Events.

Important

The new feed (CB Threat Hunter) parsers are in early access level. Please contact Exabeam support if you wish to use them. The Event Forwarder forwards the events and alerts from Carbon Black servers into a customer managed S3 bucket, from which the custom application cloud connector can pull.

Events

Before February 1, 2021

Query the Endpoint Standard datastore to get information about individual endpoint events.

Retrieve all notifications and alerts with event types:

  • NETWORK

  • FILE_CREATE

  • REGISTRY_ACCESS

  • SYSTEM_API_CALL

  • CREATE_PROCESS

  • DATA_ACCESS

  • INJECT_CODE

Every retrieved event contains a field alertScore.

  • If alertScore is less than 3, the event is considered a notification.

  • Events with higher scores are considered alerts.

For more information, see https://developer.carbonblack.com/reference/carbon-black-cloud/cb-defense/latest/rest-api/.

Audit Log Events

Audit log notifications for events such as:

  • Log in attempts by users

  • Updates to connectors

  • Creation of connectors

Table 34. Audit source API and security events


Carbon Black Defense API Depreciation

Background

VMware announced that they will deprecate some of their APIs. Initially this was planned for February 1, 2021, but was delayed to February 1, 2022.

Exabeam Cloud Connectors are currently pulling from the CB Defense feed (new name: VMware Carbon Black Cloud Endpoint Standard) using the following APIs:

  • Audit Logs API (https://<yourhost>.conferdeploy.net/integrationServices/v3/auditLogs)

  • Event API (https://<yourhost>.conferdeploy.net/integrationServices/v3/event)

While the Audit Logs API is not being deprecated, the Events API is being deprecated.

VMware advised that the best option to replace the Events API is by using their new event forwarder. This is the recommended way to retrieve the CB Defense (VMware Carbon Black Cloud Endpoint Standard) feed as well as the CB ThreatHunter (VMware Carbon Black Cloud Enterprise EDR) feed. This means that with the new method, we will collect a new feed (Threat Hunter) in addition to the existing feed (CB Defense).

Note

The new feed (CB Threat Hunter) parsers are in early access level. Please contact Exabeam support if you wish to use them.

The Event Forwarder forwards the events and alerts from Carbon Black servers into a customer managed S3 bucket, from where the custom application cloud connector can pull.

The audit logs will continue to be pulled directly via the API, in the Carbon Black Cloud Connector.

Here is a diagram of what the integration will look like:

mceclip0.png
Required Actions

Before Feburary 1, 2022, existing customers using the Cloud Connector for CB Defense will need to complete the following actions:

  1. Configure the Carbon Black Event Forwarder. Please follow the step by step instructions provided by VMware.

  2. On your Exabeam Cloud Connectors UI, choose the CB Defense cloud connector, click on status and stop all the endpoints except the auditlog endpoint.

    mceclip0.png

  3. Onboard a new Custom Cloud Connector to pull the feed from your previously configured S3 bucket. During configuration, choose the Pass-through processor.

  4. Install the appropriate content package from the content library. Again please note that the parsers for threat hunter are early access so be sure to contact Exabeam support for more details.

Prerequisites to Configure the VMware Carbon Black Cloud Connector

Before you configure the Endpoint Standard connector you must complete the following prerequisites:

Create an API Key

Creating an API Key Carbon Black Cloud APIs and services are authenticated via API keys. You must set up access levels and API keys in the Carbon Black Cloud console.

To create an API Key:

  1. Log in to the VMware Carbon Black Cloud console.

  2. Navigate to Settings > API Access > API Keys.

  3. Click Add API Key.

  4. Enter the required information, and set the access level to API. For instructions, see Carbon Black developers help.

  5. Note the API Secret Key represented by a string of letters; for example, ABCDEFGHIJKLMNOPQRSTUVWX, and the API ID represented by a string of numbers; for example, 12345678.

Use the API Key and API ID to complete the Endpoint Standard connector configuration.

Obtain a Host Name

The connector requires an API URL that is accessible through a host name assigned to your organization by Carbon Black for the Endpoint Standard connector configuration. Contact the VMware Carbon Black cloud support team to obtain a host name.

The Exabeam Cloud Connector uses the API ‘CB-D’ and service category /integrationServices/*.

The hostname that you receive from Carbon Black cloud support team for their service looks like this: https://api-<environment>.conferdelpoy.net/. The parameter ‘environment’ represents the API hostname such as prod02, prod04, or prod05. For more information, see Carbon Black Cloud API Access.

Use the hostname to access Carbon Black API to complete the Endpoint Standard connector configuration.

Set up the Event Forwarder to Collect Events

After VMWare deprecates the Events API, you must use the Carbon Black event forwarder to collect events. With this method, Exabeam retrieves the CB Defense (VMware Carbon Black Cloud Endpoint Standard) feed and the CB ThreatHunter (VMware Carbon Black Cloud Enterprise EDR) feed.

carbon-black-integration.png

The Event Forwarder forwards the events and alerts from Carbon Black servers into a customer managed S3 bucket, from which the custom application cloud connector can pull.

To set up the event forwarder:

  1. Configure the Carbon Black Event Forwarder.

    Please follow the step by step instructions provided by VMware.

  2. Configure the VMWare Carbon Black Cloud Connector.

  3. On your Exabeam Cloud Connectors UI, select the CB Defense cloud connector.

  4. Click on the status and stop all the endpoints except the auditlog endpoint.

    carbon-black-auditlog.png

  5. Onboard a new Custom Cloud Connector to pull the feed from your previously configured S3 bucket.

    Choose the pass-through processor and then install the appropriate content package from the Content Library.

Configure the VMWare Carbon Black Cloud Connector

To configure the Endpoint Standard connector to import data into the Exabeam Cloud Connector platform:

  1. Complete the Prerequisites to Configure the VMware Carbon Black Cloud Connector.

  2. Log in to the Exabeam Cloud Connectors platform with your registered credentials.

  3. Navigate to Settings > Accounts > Add Account.

  4. Click Select Service to Add, then select VMWare Carbon Black Cloud from the list.

    VMWare_Carbon_Black_Cloud.png

  5. In the Accounts section, enter the required information.

    1. Tenant – Select a tenant to attach to the connector if you are using the multi-tenant edition of Exabeam. Otherwise, select default.

    2. Account Name – Specify a name for the Endpoint Standard connector; for example, CB_Corporate_Endpoint_Security.

    3. Description – (Optional) Describe the Endpoint Standard connector; for example, “Carbon Black service for corporate endpoint security.”

    4. Connector ID – Enter the API ID that you obtained while completing prerequisites.

    5. API Hostname – Enter the hostname that you obtained while completing prerequisites.

      Note

      Refer to the api-<environment> part of the API hostname specific to your organization. If the hostname URL of your organization is https://api-prod02.conferdeploy.net/, Enter api-prod02 as the API Hostname.

    6. API Key – Enter the API key that you obtained while completing prerequisites.

  6. To confirm that the Exabeam Cloud Connector platform communicates with the service, click Test Connection.

  7. Click Done to save your changes. The cloud connector is now set up on the Exabeam Cloud Connector platform.

  8. To ensure that the connector is ready to send and collect data, Start the connector and check that the status shows OK.