Configure Carbon Black for Arctic Wolf Active Response

With the Active Response service, Arctic Wolf® can perform host-based response actions in your network using Carbon Black Cloud Enterprise EDR® or Carbon Black Cloud Endpoint Standard®.

Carbon Black supports these response actions:
  • Contain a host/Remove from containment

For more information, see Response action descriptions.

  • Contact your CST to validate the Active Response integration. Have a device or environment ready that Arctic Wolf can use to validate the desired response actions without causing interruptions.

Create a custom access level for Active Response

  1. Sign in to the Carbon Black App Control Console.
    For more information, see Logging in to the Console.
  2. In the navigation menu, click Settings > API Access.
  3. On the API ACCESS page, in the Access Levels tab, click Add Access Level.
  4. In the dialog, configure these settings:
    • Name — Enter a descriptive name. For example, Arctic Wolf Active Response.
    • Description — Enter a description for the API key.
    • Permissions table — Configure these permissions:
      • Alerts > Close > org.alerts.close — Select EXECUTE.
      • Alerts > General Information > device — Select READ.
      • Device > General Information > device — Select READ.
        Note:

        This automatically selects Custom in the Copy permissions from list.

      • Device > Quarantine > device.quarantine — Select EXECUTE.
      • Live Response > Live Response File > org.liveresponse.file — Select READ and DELETE.
      • Live Response > Live Response Session > org.liveresponse.session — Select CREATE, READ, and DELETE.
  5. Click Save.

Create API keys for Active Response

  1. In the navigation menu, click Settings > API Access.
  2. On the API ACCESS page, in the API Keys tab, click Add API Key.
  3. In the dialog, configure these settings:
    • Name — Enter a unique name for the API key. For example, Arctic Wolf Active Response API.
    • Access Level type — Select Custom.
    • Custom Access Level — Select the access level that you created in Create a custom access level for Active Response.
  4. Click Save.
  5. Copy the API ID and API Secret Key values, and then save them in a safe, encrypted location.

    You will provide these values to Arctic Wolf later.

  6. On the API Keys tab, copy the ORG Key value, and then save it in a safe, encrypted location.
    You will provide it to Arctic Wolf later.
  7. In the URL of your Carbon Black Cloud console, copy, and then save the hostname component of the base API URL for your environment in a safe, encrypted location.

    For example, https://defense.conferdeploy.net. You will provide this to Arctic Wolf later.

    Tip:

    For more information, see Constructing your Request.

Provide Carbon Black Active Response credentials to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Organization Profile > Integrations.
  3. On the Active Response tab, click New Active Response Integration +.
  4. Click VMware Carbon Black.
  5. On the New Active Response Integration page, configure these settings:
    • Integration Name — Enter a unique and descriptive name for the integration, including the tenant name. For example, <tenant_name> Carbon Black Active Response Integration.
    • Base URL — Enter your the base API URL from Configure a new API key, beginning with https://.
    • Client ID — Enter the API ID value from Configure a new API key.
    • Client Secret — Enter the API Secret Key from Configure a new API key.
    • Org Key — Enter the ORG Key value from Configure a new API key.
    • Results Limit — Enter the maximum number of objects for a query to return. We recommend 100.
    • The wait time (hours) for an endpoint to come back online — Enter the number of hours Arctic Wolf should continue checking for a command response from Carbon Black Cloud. We recommend 1.
    • User defined mapping — (Optional) Keep this field blank.
  6. Click Save Integration.