Overview

Carbon Black products provide critical raw data OS-level telemetry from hosts (endpoints or servers). These telemetries include process creation events, network connection events, DNS requests, file events, and much more.

As most attacks on organizations include activity on some of the hosts of the organization, these telemetries allow Hunters to extract meaningful and important threat signals from the huge amount of OS-level telemetries, and detect malicious or suspicious behaviors, and then correlate them on with further datasources.

Additionally, Hunters’ integration with the Carbon Black API allows fetching the list and information about all devices with Carbon Black (which allows further enrichment of threat signals with contextual information, e.g. OS version and type and usernames), and the alerts Carbon Black's products generate, which allows us to incorporate these alerts as strong threat signals which will then be further automatically investigated and correlated with other Hunters-proprietary threat signals to conclude whether those alerts were truly indicative of real attacks or not.

Supported data types

  • Alerts: All the alerts from the Carbon Black EDR solution.

  • Devices: Carbon Black enrollment data, encapsulating status and details of devices in organization.

  • Events: EDR events via the S3 Data Forwarder. Please contact the Hunters staff to help you ingest this data into the platform.

Sending data to Hunters

Prerequisites

Carbon Black Cloud APIs and Services use API Keys for authentication and access control. That means that in order to grant Hunters permissions to access the data in your Carbon Black deployment, you must supply Hunters with an API key.

Carbon Black Cloud Platform API

  1. Access the Carbon Black website.

  2. Navigate to Settings > API Access. Note your ORG KEY (at the top-left corner), and then click on the Access Levels tab at the top of the page

  3. In Access Levels tab, click on the Add Access Level button, assign an indicative name for the access level (e.g., HuntersAccess) and check the READ checkbox for the Alerts (Notes and General Information), Device (General Information) Search (Events) categories - this is required for Alerts and Devices integration.

  4. In order to send the raw event data to Hunters, we also need the following permissions (CREATE, READ, UPDATE, DELETE) in order to create a Data Forwarder.

  5. Click Save, and then go back to the API Keys tab, and click the Add API Key button.

  6. Give the API Key the an indicative name (e.g., Hunters API Access) and select under Access Level type, select Custom. When you do, a new dropdown box will appear called Custom Access Level, pick the previously created custom Access Level (e.g., HuntersAccess).

6. Click Save, and you will be provided with your API Key Credentials: API Secret Key and API ID.

Continue to the next section to read how to fill out the data flow wizard.

Creating a Dataflow

  1. Find and choose Carbon-Black

  2. Insert all properties according to the following steps in the guide:

  3. For the host option, use your Carbon Black Console Address. Please verify you use one of the following addresses:

    1. defense-eap01.conferdeploy.net

    2. dashboard.confer.net

    3. defense.conferdeploy.net

    4. defense-prod05.conferdeploy.net

    5. defense-eu.conferdeploy.net

    6. defense-prodnrt.conferdeploy.net

  4. Paste the API Secret Key and API ID into the Auth Token field in the following format:
    {API Secret Key}/{API ID}

5. Insert the ORG Key int to the ORG key field.

Note: Using the Cloud Platform APIs requires you to create a separate API Key from the old Devices and Events API. Please follow the documentation carefully and consult with the Hunters team if you encounter any problems or difficulty.