Configure Carbon Black Cloud for Arctic Wolf monitoring

You can configure Carbon Black Cloud® to send the necessary logs to Arctic Wolf® for security monitoring.

Note: Arctic Wolf Arctic Wolf currently supports the Enterprise Endpoint Detection and Response (EDR) and Endpoint Standard products. We integrate with the Alerts API endpoint.

Create a custom access level

  1. Sign in to the Carbon Black Cloud UI console.
  2. In the navigation menu, click Settings > API Access.
  3. On the API ACCESS page, in the Access Levels tab, click Add Access Level.
  4. In the dialog, configure these settings:
    • Name — Enter a memorable name.
    • Description — Enter a description for the API key.
    • Permissions table — In the Alerts row, select READ for the General information permission.
      Note:

      This automatically selects Custom in the Copy permissions from list.

  5. Click Save.

Configure a new API key

  1. In the navigation menu, click Settings > API Access.
  2. On the API ACCESS page, in the API Keys tab, click Add API Key.
  3. In the dialog, configure these settings:
    • Name — Enter a unique name for the API key. For example, Arctic Wolf API.
    • Access Level type — Select Custom.
    • Custom Access Level — Select the access level you created in Create a custom access level.
  4. Click Save.
  5. Copy the API ID and API Secret Key values, and then save them in a safe, encrypted location to provide to Arctic Wolf later.
  6. On the API Keys tab, copy the ORG Key and ORG ID values, and then save them in a safe, encrypted location to provide to Arctic Wolf later.
  7. In the URL of your Carbon Black Cloud console, copy and save the hostname component of the base API URL for your environment in a safe, encrypted location to provide to Arctic Wolf later.

    For example, https://defense.conferdeploy.net. For more information, see Constructing your Request.

Provide Carbon Black Cloud credentials to Arctic Wolf

Note:

Time-based events are polled with a delay to make sure that data is available. For new deployments, Arctic Wolf begins polling and reviewing activity from approximately one hour prior to configuration success. If API credentials fail, for example due to expired credentials, Arctic Wolf notifies you and requests a new set of credentials. After receiving refreshed credentials, Arctic Wolf can only retrieve data from the previous 12 hours. Provide refreshed credentials within 12 hours of expiry to enable complete data polling and coverage.

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Data Collection > Cloud Sensors.
  3. Click Add Account +.
  4. On the Add Account page, click VMware Carbon Black Cloud.
  5. Configure these settings:
  6. Click Test and submit credentials.