VMware Carbon Black Defense Operation
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 1.0.0 |
| Compatible with ThreatQ Versions | >= 3.6.0 |
| Support Tier | ThreatQ Supported |
Introduction
The ThreatQuotient for Carbon Black Defense Operation allows a ThreatQ user to query their Carbon Black Defense instance for any sensors/devices that have generated events containing an indicator.
The operation provides the following action:
- Query Sensor Events - retrieves sensor data from the Carbon Black Defense API.
The operation is compatible with Filename and SHA-256 indicator types.
Installation
This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the Operation option from the Type dropdown (optional).
- Click on the integration entry to open its details page.
- Enter the following parameters under the Configuration tab:
Parameter Description Carbon Black Defense API Host The Host or IP of your Carbon Black Defense instance. API Key Carbon Black Defense API Key. Do not include the Connector ID.
Connector ID The value will be appended to the API key for authentication. - Review any additional settings, make any changes if needed, and click on Save.
- Click on the toggle switch, located above the Additional Information section, to enable it.
Actions
The operation provides the following action:
| Action | Description | Object Type | Object Subtype |
|---|---|---|---|
| Query Sensor Events | Retrieves sensor data from the Carbon Black Defense API. | Indicator | Filename, SHA-256 |
Usage
The following section covers the use of the ThreatQuotient for Carbon Black Defense Operation.
- Navigate to a suitable indicator found in ThreatQ that is to be scanned.
- Navigate to the Operations section on the left hand side.
A Carbon Black Defense entry will be available.
- Click the Carbon Black Defense entry to run the operation, you will be presented with a popup window asking for two further pieces of information.
- How far back do you want to search?: These are pre-set fields, set by Carbon Black Defense’s API. Select one.
- Max number of results to show: The Carbon Black Defense API may return a ton of results (> 1k), so this option is here to limit the number of events returned.
The total number of events found will show as a statistic, but the event details will not be pulled after the max number is reached.
Change Log
- Version 1.0.0
- Initial release
PDF Guides
| Document | ThreatQ Version |
|---|---|
| VMware Carbon Black Defense Operation Guide v1.0.0 | 3.6.0or Greater |