Skip to main content
Skip table of contents

Configure Carbon Black

Access and Configure Carbon Black

Obtain an API Key in Carbon Black

To configure a Carbon Black integration within LogRhythm NDR, you must first obtain an API key and the Org key within the Carbon Black Cloud Console.

For more information on assembling URLs, obtaining host names, or anything else related to the Carbon Black Cloud Console, see Carbon Black Cloud API Access.

Create Custom Access Level

The API key will need a custom access level with the following permissions:

API RouteMethodsCategoryPermission NameAction
/appservices/v6/orgs/<ORGKEY>/alerts/_search
POSTAlerts

Notes

General Information

R (Read)
/appservices/v6/orgs/<ORGKEY>/alerts/_search
POSTLive QueryManage Queries

C (Create)

R (Read)

U (Update)

D (Delete)

/appservices/v6/orgs/<ORGKEY>/alerts/_search
POSTSearchEvents

C (Create)

R (Read)

U (Update)

D (Delete)

Create API Key

Once the custom access level has been created and named, an API key can be generated.

  1. Click the Settings tab, and then click API Access.
  2. Click API Keys.
  3. Click Add API Key on the far right.
    The Add API Key page appears.
  4. Enter a Name for this API key.
  5. Open the Access Level Type menu and click Custom.
  6. Open the Custom access level menu and click the custom level previously created.
  7. Click Save.
    The API Secret Key and API ID appear.

The Org key can be found in the Carbon Black Console under Settings > API Access > API Keys.

Add a New Carbon Black Integration in LogRhythm NDR

After completing your configuration within the Carbon Black Cloud Console, you can add a Carbon Black integration in LogRhythm NDR.

To create a new Carbon Black integration:

  1. Log in to the LogRhythm NDR UI.
  2. Click the Settings tab, and then click Endpoint Integrations.
    The Endpoint page appears.
  3. To add a new endpoint integration, click Add Endpoint Integration.
  4. Click Active to make the integration active.
  5. Click Endpoint Type, and click Carbon Black.

  6. Enter the integration credentials in the relevant fields.

    Field

    Description

    Integration NameA unique name for this integration configuration.
    Polling IntervalThe amount of time (in minutes) between each collection of new information from the integration.
    API URL

    The API URL for Carbon Black is https://defense.conferdeploy.net

    OrgKey

    The Org key obtained in the Carbon Black management console.

    API Token

    The information generated in the Carbon Black Cloud Console, with a slash between the API Secret Key and the API ID, as follows:

    <API Secret Key>/<API ID>

  7. To verify the credentials have been entered correctly, click Test.
    If the information is correct, Connection Success appears. Otherwise, Connection Failed appears, meaning the credentials need to be re-entered and re-verified.
  8. Click Save.
    The Carbon Black integration is now complete within LogRhythm NDR.

Verify a Carbon Black Integration is Working

To verify that information is being collected for the Carbon Black integration:

  1. Log in to the LogRhythm NDR UI.
  2. Click the Hunt tab, and then click Activity.
    The Activity page appears. By default, the legend graph is displayed, showing the logs and events for the past hour.
  3. To view the integration events alone, click ThirdPartyEvent on the graph. 
    All integration-related events appear.
  4. To view the integration, click the Discover icon located to the left of the search field, and then click General.
  5. Select the Origin option and click the visualize icon (which is the bar graph icon) for the option.
    If events do not display, you may have to change the time range.

  6. To single out data for a selected filter, click the addfilter option in the Discover drop-down menu. 
    For example, use the "entry_origin" filter (entry_origin: "CarbonBlack") to filter the engine that detected the traffic, giving you the following options: 
    1 - Distributed Analytics Engine
    2 - Host Compliance Engine
    3 - Network Analysis Engine
    4 - Rules Engine
    The Value based Filters & Aggregations dialog box appears.

  7. To add the filter to the item displayed in the Value based Filters & Aggregations dialog box, click the icon next to the item. Conversely, to remove the filter, click the - icon next to the item.

  8. To view the integration events, click the + icon.

Edit a Carbon Black Integration

To make changes to an existing Carbon Black integration:

  1. Click the Settings tab, and then click Endpoint Integrations.
    The Endpoint page appears.
  2. Click the green Edit icon in the Actions column for the Carbon Black integration you wish to edit.
    The Edit Operator page opens.
  3. Once changes have been made, click Update.
    The endpoint integration is updated within LogRhythm NDR.

Delete a Carbon Black Integration

To delete an existing Carbon Black integration:

  1. Click the Settings tab, and then click Endpoint Integrations.
    The Endpoint page appears.
  2. Click the red Delete icon in the Actions column for the Carbon Black integration you wish to remove.
  3. Click Yes.
    The Carbon Black integration is deleted in LogRhythm NDR.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close