Skip to main content

Cyware Threat Intelligence eXchange

VMware Carbon Black

Connector Category: Endpoint Detection Response

About VMware Carbon Black

VMware Carbon Black Cloud is a cloud-native endpoint, workload, and container protection platform. The platform combines malicious data in the form of a report that you can add to a watchlist for further investigation on endpoints for configured machines. VMware Carbon Black seamlessly integrates with Intel Exchange (CTIX) as an internal application. This integration provides an action that allows the addition of indicators of compromise (IOCs) identified and analyzed on Intel Exchange to the watchlist reports on the VMware Carbon Black platform.

The VMware Carbon Black internal application in Intel Exchange supports the following actions:

Action Name

Description

Update Report with IOCs

This action adds IOCs retrieved from Intel Exchange to the watchlist reports of the VMware Carbon Black platform.

To configure VMware Carbon Black as an internal application, follow these steps:

  1. Configure Carbon Black as an Internal Application 

  2. Enable App Actions 

  3. Create a Rule to Update Reports on VMware Carbon Black 

Configure Carbon Black as an Internal Application

Configure the VMware Carbon Black internal application to update reports with IOCs from Intel Exchange.

Before you Start 

  • You must have the base URL, API ID, API key, and ORG key of your VMware Carbon Black Cloud account.

  • You must have the view and update tool integration permissions in Intel Exchange.

Steps 

To configure the VMware Carbon Black internal application, follow these steps:

  1. Go to Administration > Integration Management > Tool Integrations > Internal Applications > Endpoint Detection Response.

  2. Search and select the Carbon Black application.

  3. Click Add Instance and enter the following details:

    • Instance Name: Enter a unique instance name to identify the instance. For example, prod_carbonblack.

    • Base URL: Enter the base URL of your VMware Carbon Black Cloud instance. For example, https://defense.conferdeploy.net.

    • API ID: Enter the API ID for your VMware Carbon Black Cloud account.

    • API Key: Enter the API key of your VMware Carbon Black Cloud account.

    • ORG Key: Enter the unique identifier of an organization in the VMware Carbon Black Cloud platform. For example, ABCD1234.

    • Verify SSL: Select this option to verify the SSL certificate and secure the connection between the Intel Exchange and VMware Carbon Black Cloud servers. By default, Verify SSL is selected.

      Note

      We recommend you to select Verify SSL. If you disable this option, Intel Exchange may configure an instance for an expired SSL certificate. This may not establish the connection properly and Intel Exchange will not be able to notify you in case of a broken or improper connection.

  4. Click Save.

The instance is configured and you can view the actions provided by the VMware Carbon Black platform. You can configure multiple instances of this integration by clicking Manage > Add More.

Enable App Actions

After configuring the VMware Carbon Black application on Intel Exchange, enable the actions to update reports with IOCs on the VMware Carbon Black Cloud platform.

To enable an action of the VMware Carbon Black internal application, follow these steps:

  1. Go to Administration > Integration Management > Tool Integrations > Internal Applications > Endpoint Detection Response.

  2. Search and select the Carbon Black application.

  3. On the upper-right, click the vertical ellipsis and click Manage.

  4. Click Manage Actions.

  5. Select an action and turn on the toggle to enable the action.

  6. Click Save.

The action is enabled and is now ready to use.

Create a Rule to Update Reports on VMware Carbon Black

Create a rule to retrieve a list of IOCs from specific collections of the Intel Exchange platform and update a specific report in a watchlist on the VMware Carbon Black Cloud platform.

Before you Start 

You must have the View Rules, Create Rules, and Update Rules permissions.

Steps 

To create a rule to upload indicators to the VMware Carbon Black Cloud platform, do the following:

  1. Go to Main Menu > Actions > Rules.

  2. Click New Rule.

  3. Enter a rule name within 100 characters and click Submit.

  4. In Source, select the source and collection from which you want to upload indicators.

  5. In Condition, enter the following details:

    • Intent Type: Select the intent type as Indicator.

    • Rule Type: Select a rule type to apply specific conditions.

  6. In Actions, enter the following details:

    • Actions: Select Update Report with IOCS.

    • Application: Select Carbon Black.

    • Account: Select a VMware Carbon Black instance you have configured.

    • Select Watchlist: Select a watchlist of the configured instance to retrieve reports.

    • Select Report: Select a report of the selected watchlist to update.

  7. Set the global conditions from Additional Actions. For more information, see Additional Actions for Rules.

  8. Click Save.

The rule is created and the selected report on VMware Carbon Black will be updated based on the configured sources and conditions when you run the rule.