Providing Carbon Black Credentials to Arctic Wolf

Configuration Guide

Overview

This document describes how to retrieve the credentials that Arctic Wolf® needs to monitor security information using the APIs that Carbon Black provides. After you complete this configuration, Arctic Wolf can monitor logs from your Carbon Black environment.

Note: We currently support the Enterprise Endpoint Detection and Response (EDR) and Endpoint Standard products. We integrate with the Alerts API endpoint.

As part of this configuration, you must provide the following information to Arctic Wolf using the Arctic Wolf Portal:

Creating a custom access level

To create a custom access level:

  1. Sign in to the Carbon Black UI console.

  2. From the navigation pane, select Settings > API Access. This opens the API ACCESS page.

  3. Select the Access Levels tab, and then select Add Access Level.

  4. In the dialog box:

    1. Enter a memorable name in the Name text box.

    2. Enter a description for the API key in the Description text box.

    3. In the permissions table, select READ in the Alerts row for the General information permission.

      Note: This automatically selects Custom in the Copy permissions from list.

    4. Click Save.

Configuring a new API key

To configure a new API key:

  1. If you have not already done so, from the navigation pane, select Settings > API Access. This opens the API ACCESS page.

  2. Select the API Keys tab, and then select Add API Key.

  3. In the dialog box:

    1. Enter a unique name for the API Key in the Name text box, such as Arctic Wolf API.

    2. In the Access Level type menu, select Custom.

    3. In the Custom Access Level menu, select the Access Level that you created in Creating a custom access level.

    4. Click Save.

  4. From the prompt, copy the API ID and API Secret Key values to a temporary text file. You will provide this to Arctic Wolf when Providing credentials to Arctic Wolf.

  5. Back in the API Keys tab, find the ORG Key and ORG ID values, and copy them to a temporary text file. You will provide this to Arctic Wolf when Providing credentials to Arctic Wolf.

  6. Follow the instructions on the Carbon black website to obtain the base URL for the API to run API calls.

    This is the API Hostname, which looks similar to https://defense.conferdeploy.net. You will provide this to Arctic Wolf when Providing credentials to Arctic Wolf.

Providing credentials to Arctic Wolf

To provide your credentials to Arctic Wolf on the Arctic Wolf Portal:

  1. Sign in to the Arctic Wolf Portal.

  2. Select Connected Accounts in the banner menu to open the Connected Accounts page.

    Connected Accounts menu

  3. Select + Add Account to open the Add Account form.

  4. Select Cloud Threat Detection as the Account Type.

  5. Select Carbon Black from the list of cloud services.

    1. Enter a descriptive name for the credentials.

    2. Copy and paste these values that you created in Configuring a new API key:

      • Org ID

      • Org Key

      • API ID

      • API Secret Key

      • API Hostname

  6. Click Submit to CST.

  7. When prompted with the confirmation message, review your submission and then click Done. This returns you to the Connected Accounts page.

  8. Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.

After your Concierge Security® Team (CST) provisions security monitoring for your cloud environment, the status of these credentials changes to Connected.

All third-party API integrations that are part of the Arctic Wolf® Managed Detection and Response (MDR) offering are designed with a polling frequency of approximately 15 minutes. Time-based events are polled with a 5-to-40-minute delay to ensure data availability within the third-party API endpoint. For new deployments, after the API integration is successfully configured with the necessary credentials, we begin polling and reviewing activity from approximately 1 hour prior to configuration success.

If credentials fail, for example due to expired credentials, we notify you and request a new set of API credentials. After a polling failure, we only replay data for a period of 12 hours starting from when the refreshed credentials are provided.