Overview

Carbon Black products provide critical raw data OS-level telemetry from hosts (endpoints or servers). These telemetries include process creation events, network connection events, DNS requests, file events, and much more.

As most attacks on organizations include activity on some of the hosts of the organization, these telemetries allow Hunters to extract meaningful and important threat signals from the huge amount of OS-level telemetries, and detect malicious or suspicious behaviors, and then correlate them on with further datasources.

Additionally, Hunters’ integration with the Carbon Black API allows fetching the list and information about all devices with Carbon Black (which allows further enrichment of threat signals with contextual information, e.g. OS version and type and usernames), and the alerts Carbon Black's products generate, which allows us to incorporate these alerts as strong threat signals which will then be further automatically investigated and correlated with other Hunters-proprietary threat signals to conclude whether those alerts were truly indicative of real attacks or not.

Supported data types

  • Alerts: All the alerts from the Carbon Black EDR solution.

  • Devices: Carbon Black enrollment data, encapsulating status and details of devices in organization.

  • Events: EDR events via the S3 Event Forwarder. Please contact the Hunters staff to help you ingest this data into the platform.

Sending data to Hunters

Prerequisites

Carbon Black Cloud APIs and Services use API Keys for authentication and access control. That means that in order to grant Hunters permissions to access the data in your Carbon Black deployment, you must supply Hunters with an API key.

Carbon Black Cloud Platform API

  1. Access the Carbon Black website.

  2. Navigate to Settings > API Access.

  3. Note your ORG KEY (at the top-left corner), and then click on the Access Levels tab at the top of the page.

  4. In Access Levels tab, click on the Add Access Level button, name it HuntersAlerts, and check the READ checkbox for the Alerts and Devices categories.

  5. Go back to the API Keys tab, and click the Add API Key button.

  6. Give the API Key the name HuntersAlertsKey and select Custom for Access Level Type.When you do, a new dropdown box will appear called Custom Access Level, pick the HuntersAlerts option.

  7. Hit Save, and you will be provided with your API Key Credentials: API Secret Key and API ID.

  8. Continue to the next section to read how to fill out the data flow wizard.

Creating a Dataflow

  1. Choose Carbon Black in the Product box.

  2. For the host option, use your Carbon Black Console Address. Please verify you use one of the following addresses:

    1. defense-eap01.conferdeploy.net

    2. dashboard.confer.net

    3. defense.conferdeploy.net

    4. defense-prod05.conferdeploy.net

    5. defense-eu.conferdeploy.net

    6. defense-prodnrt.conferdeploy.net

  3. Paste the API Secret Key and API ID into the wizard in the following format:
    {API Secret Key}/{API ID}

  4. For each data type, write your ORG_KEY into the appropriate box in the wizard (It should be the same for all data types).

Note: Using the Cloud Platform APIs requires you to create a separate API Key from the old Devices and Events API. Please follow the documentation carefully and consult with the Hunters team if you encounter any problems or difficulty.