VMware Carbon Black Cloud Monitoring

Updated Jan 17, 2024

Configure VMware Carbon Black Cloud for Arctic Wolf monitoring

You can configure VMware Carbon Black Cloud® to send the necessary logs to Arctic Wolf® for security monitoring.

Note: Arctic Wolf currently supports the Enterprise Endpoint Detection and Response (EDR) and Endpoint Standard products. We integrate with the Alerts API endpoint.

Steps

  1. Create a custom access level.
  2. Configure a new API key.
  3. Provide your VMware Carbon Black Cloud credentials to Arctic Wolf.

Step 1: Create a custom access level

  1. Sign in to the VMware Carbon Black Cloud UI console.

  2. In the navigation menu, click Settings > API Access.

  3. On the API ACCESS page, in the Access Levels tab, click Add Access Level.

  4. In the dialog, configure these settings:

    • Name — Enter a memorable name.

    • Description — Enter a description for the API key.

    • Permissions table — In the Alerts row, select READ for the General information permission.

      Note: This automatically selects Custom in the Copy permissions from list.

  5. Click Save.

Step 2: Configure a new API key

  1. In the navigation menu, click Settings > API Access.

  2. On the API ACCESS page, in the API Keys tab, click Add API Key.

  3. In the dialog, configure these settings:

    • Name — Enter a unique name for the API key. For example, Arctic Wolf API.
    • Access Level type — Select Custom.
    • Custom Access Level — Select the access level you created in Create a custom access level.
  4. Click Save.

  5. Copy the API ID and API Secret Key values, and then save them in a safe, encrypted location. You will provide them to Arctic Wolf later.

  6. On the API Keys tab, copy the ORG Key and ORG ID values, and then save them in a safe, encrypted location. You will provide them to Arctic Wolf later.

  7. In the URL of your VMware Carbon Black Cloud console, copy, and then save the hostname component of the base API URL for your environment. For example, https://defense.conferdeploy.net. You will provide this to Arctic Wolf later.

    Tip: See Constructing your Request for more information.

Step 3: Provide your VMware Carbon Black Cloud credentials to Arctic Wolf

Note: If API credentials fail, for example due to expired credentials, Arctic Wolf notifies you and requests a new set of credentials. After receiving refreshed credentials, Arctic Wolf can only retrieve data from the previous 12 hours. Provide refreshed credentials within 12 hours of expiry to enable complete data polling and coverage. For more information, see MDR polling frequency.

  1. Sign in to the Arctic Wolf Unified Portal.

  2. Click Telemetry Management > Connected Accounts.

  3. Click Add Account +.

  4. On the Add Account page, in the Account Type list, select Cloud Detection and Response.

  5. In the list of cloud services, select VMware Carbon Black Cloud.

  6. On the Add Account page, configure these settings:

  7. Click Test and submit credentials.

    After your Concierge Security® Team (CST) enables security monitoring for this account, the connected account status changes to Healthy.