Carbon Black Cloud

Overview

Alerts are pushed to ActiveEye using the Carbon Black Cloud Data Forwarder and enriched using various APIs. To enable this the Data Forwarder must be configured in the Carbon Black console and an API Key with appropriate permissions needs to be created. This document describes the setup and configuration of those parts.

Create an API Key for enriching alerts

A custom Access Level type API Key is built from a valid Carbon Black Cloud user account. The ID and Key created here will correspond with the "Read Credential Set" in the ActiveEye Carbon Black service connector edit page.

1. From a logged in admin user in the Carbon Black console, select Settings>API Access from the left channel of the page.
2. Near the top of the page, make note of the following for the setup:

• ORG KEY
• ORG ID

3. Navigate to the Access Levels tab near the top of the page.
4. Click on the "Add Access Level" button and fill in the following as shown:

• Name: Something to identify it.
• Description: Optional information about the access level
• Copy permissions from: None

5. Select the checkboxes for each of the following permissions:

• Alerts - General Information - org.alerts - READ
• Applications - Reputation - org.reputations - CREATE, READ, and DELETE
• Device - General information - device - READ
• Live Response - Live Response Session - org.liveresponse.session - CREATE, READ
• Live Response - Live Response File - org.liveresponse.file - READ, DELETE
• Search - Events - org.search.events - CREATE and READ

6. Click on "Save".
7. Navigate back to the API Keys tab near the top of the page.
8. Click on the “Add API Key” button and fill in the following as shown:

• Name: Something to identify it.
• Description: Optional information about the key.
• Access Level type: Select “Custom” from the list.
• Custom Access Level: Select the access level created in steps 4-6

9. Click on "Save".
10. Make note of the following for the setup:

• API ID
• API Secret Key

6. Use the following link to determine the Console URL needed to access the Console and API: https://community.carbonblack.com/t5/Knowledge-Base/CB-Defense-What-URLs-are-used-to-access-the-API/ta-p/67346

• Console URL: This is the URL used to connect to the Carbon Black console. (e.g. https://defense-prod05.conferdeploy.net)

Provide Information

API ID, API Key, ORG KEY, ORG ID, and the console URL should now be collected and available to complete the setup and start log collection. Provide these value to your service representative or use them for self service configuration following the "Configuring a new Service Connector for log collection" guide.

Configuring the Data Forwarder

Once the connector is created the Data Forwarder Bucket value will be available on the Connector Account page of ActiveEye. This value is generated by ActiveEye and will be used to configure the Data Forwarder (Step 5 below). To configure the Data Forwarder:

1. Click on Settings > Data Forwarders in the Carbon Black Cloud console
2. Click on the Add Forwarder button in the upper, right-hand corner
3. The Name should be: ActiveEye Forwarder
4. From the Type dropdown select Alert
5. The S3 Bucket Name is the Data Forwarder Bucket value that was generated by ActiveEye on the connector create form
6. The S3 Prefix should be: events
7. The Schema should be: 2.0.0
8. Ensure that the Set forwarder status is On
9. Click the Save button

Note the read-only Data Forwarder Bucket field

Data forwarder configuration screen in the Carbon Black Cloud Console - the S3 Bucket Name comes from the connector create form in ActiveEye

warning

The S3 prefix should be all lowercase.