Providing Carbon Black Credentials to Arctic Wolf

Configuration Guide

Overview Direct link to this section

This document describes how to retrieve the credentials that Arctic Wolf® needs to monitor security information using the APIs that Carbon Black provides. After you complete this configuration, Arctic Wolf can monitor logs from your Carbon Black environment.

Note: We currently support the Enterprise Endpoint Detection and Response (EDR) and Endpoint Standard products. We integrate with the Alerts API endpoint.

As part of this configuration, you must provide the following information to Arctic Wolf using the Arctic Wolf Portal:

Creating a custom access level Direct link to this section

To create a custom access level:

  1. Sign in to the Carbon Black UI console.

  2. From the navigation pane, select Settings > API Access. This opens the API ACCESS page.

  3. Select the Access Levels tab, and then select Add Access Level.

  4. In the dialog box:

    1. Enter a memorable name in the Name text box.

    2. Enter a description for the API key in the Description text box.

    3. In the permissions table, select READ in the Alerts row for the General information permission.

      Note: This automatically selects Custom in the Copy permissions from list.

    4. Click Save.

  5. Proceed to Configuring a new API key.

Configuring a new API key Direct link to this section

To configure a new API key:

  1. If you have not already done so, from the navigation pane, select Settings > API Access. This opens the API ACCESS page.

  2. Select the API Keys tab, and then select Add API Key.

  3. In the dialog box:

    1. Enter a unique name for the API Key in the Name text box, such as Arctic Wolf API.

    2. In the Access Level type menu, select Custom.

    3. In the Custom Access Level menu, select the Access Level that you created in Creating a custom access level.

    4. Click Save.

  4. From the prompt, copy the API ID and API Secret Key values to a temporary text file. You will provide this to Arctic Wolf when Providing credentials to Arctic Wolf.

  5. Back in the API Keys tab, find the ORG Key and ORG ID values, and copy them to a temporary text file. You will provide this to Arctic Wolf when Providing credentials to Arctic Wolf.

  6. Look at the web address of your Carbon Black Cloud console to obtain the hostname component of the base API URL for your environment. The hostname looks similar to https://defense.conferdeploy.net. You will provide this to Arctic Wolf when Providing credentials to Arctic Wolf.

    Tip: For more information on the components of a base API URL, see Constructing your Request in the Carbon Black documentation for base URLs.

  7. Proceed to Providing credentials to Arctic Wolf.

Providing credentials to Arctic Wolf Direct link to this section

To provide your credentials to Arctic Wolf on the Arctic Wolf Portal:

  1. Sign in to the Arctic Wolf Portal.

  2. Select Connected Accounts in the banner menu to open the Connected Accounts page.

    Connected Accounts menu

  3. Select + Add Account to open the Add Account form.

  4. Select Cloud Detection and Response as the Account Type.

  5. Select Carbon Black from the list of cloud services.

    1. Enter a descriptive name for the credentials.

    2. Copy and paste these values that you created in Configuring a new API key:

      • Org ID

      • Org Key

      • API ID

      • API Secret Key

      • API Hostname

  6. Select Submit to CST.

  7. When prompted with the confirmation message, review your submission, and then select Done. You are returned to the Connected Accounts page.

  8. Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.

After your Concierge Security® Team provisions security monitoring for your account, the status of your credentials changes to Connected.

Note: All third-party API integrations that are part of the Arctic Wolf® Managed Detection and Response (MDR) offering are designed with a polling frequency of approximately 15 minutes. Time-based events are polled with a 5-to-40-minute delay to ensure data availability within the third-party API endpoint. For new deployments, after the API integration is successfully configured with the necessary credentials, we begin polling and reviewing activity from approximately 1 hour prior to configuration success.

If credentials fail, for example, due to expired credentials, we notify you and request a new set of API credentials. After a polling failure, we only replay data for a period of 12 hours starting from when the refreshed credentials are provided.