VMware Carbon Black Cloud Monitoring
Updated Sep 27, 2023Configure VMware Carbon Black Cloud monitoring
This document describes how to retrieve the credentials that Arctic Wolf® needs to monitor security information using the APIs that VMware Carbon Black Cloud® provides. After you complete this configuration, Arctic Wolf can monitor logs from your VMware Carbon Black Cloud environment.
Note: We currently support the Enterprise Endpoint Detection and Response (EDR) and Endpoint Standard products. We integrate with the Alerts API endpoint.
As part of this configuration, you must provide the following information to Arctic Wolf using the Arctic Wolf Portal:
- ORG Key
- ORG ID
- API ID
- API Secret Key
- API Hostname
Create a custom access level
-
Sign in to the VMware Carbon Black Cloud UI console.
-
From the navigation pane, click Settings > API Access.
-
On the API ACCESS page, click the Access Levels tab.
-
Click Add Access Level.
-
In the dialog, do the following:
-
In the Name field, enter a memorable name.
-
In the Description field, enter a description for the API key.
-
In the permissions table, in the Alerts row, select READ for the General information permission.
Note: This automatically selects Custom in the Copy permissions from list.
-
Click Save.
-
-
Proceed to Configure a new API key.
Configure a new API key
-
In the navigation pane, click Settings > API Access.
-
On the API ACCESS page, click the API Keys tab.
-
Click Add API Key.
-
In the dialog, do the following:
- In the Name field, enter a unique name for the API Key, such as
Arctic Wolf API
. - In the Access Level type list, select Custom.
- In the Custom Access Level list, select the Access Level that you created in Create a custom access level.
- Click Save.
- In the Name field, enter a unique name for the API Key, such as
-
From the prompt, copy the API ID and API Secret Key values to a temporary text file. You will provide this to Arctic Wolf when you Provide credentials to Arctic Wolf.
-
In the API Keys tab, find the ORG Key and ORG ID values, and then copy them to a temporary text file. You will provide this to Arctic Wolf when you Provide credentials to Arctic Wolf.
-
Look at the web address of your VMware Carbon Black Cloud console to obtain the hostname component of the base API URL for your environment. The hostname looks similar to
https://defense.conferdeploy.net
. You will provide this to Arctic Wolf when you Provide credentials to Arctic Wolf.Tip: For more information on the components of a base API URL, see Constructing your Request in the VMware Carbon Black Cloud documentation for base URLs.
-
Proceed to Provide credentials to Arctic Wolf.
Provide credentials to Arctic Wolf
Note: If API credentials fail, for example, due to expired credentials, Arctic Wolf will notify you and request a new set of credentials. After receiving refreshed credentials, Arctic Wolf can only retrieve data from the previous 12 hours. Provide refreshed credentials within 12 hours of expiry to ensure complete data polling and coverage. See MDR polling frequency for more information.
-
Sign in to the Arctic Wolf Unified Portal.
-
In the menu bar, click Telemetry Management > Connected Accounts.
-
Click Add Account +.
-
On the Add Account page, from the Account Type list, select Cloud Detection and Response.
-
From the list of cloud services, select VMware Carbon Black Cloud.
-
On the Add Account page, complete these steps:
- Account Name — Enter a unique and descriptive name for the account.
- For each of these fields, paste the appropriate value from Configure a new API key:
- Org ID
- Org Key
- API ID
- API Secret Key
- API Hostname
- Credential Expiry — (Optional) Enter the expiration date if the credentials have an expiry date.
-
Click Test and Submit Credentials.
After your Concierge Security® Team (CST) enables security monitoring for this account, the connected account status changes to Healthy.
MDR polling frequency
Arctic Wolf® Managed Detection and Response (MDR) polls third-party API integrations at regular intervals. Time-based events are polled with a delay to make sure data is available within the third-party API endpoint. For new deployments, after the API integration is successfully configured with the necessary credentials, Arctic Wolf begins polling and reviewing activity from approximately 1 hour prior to configuration success.