Carbon Black Cloud
The Carbon Black Cloud app analyzes alert and event data from Endpoint Standard and Enterprise EDR products and provides comprehensive visibility into the security posture of your endpoints, enabling you to determine the effects of breaches in your environment. The app provides visibility into key endpoint security data with pre-configured dashboards for alerts, threats intelligence, feeds, sensors, alerts, users, hosts, processes, IOCs, devices and network status.
Log types
The Carbon Black Cloud app uses the following Carbon Black Cloud log types:
- Alert Data
- Event Data
Sample log messages
For sample log messages, see Data Samples section in VMware help.
Sample queries
Endpoint Standard
_sourceCategory=CBCloud
| json field=_raw "id", "alert_url" , "severity", "device_name","device_username", "device_target_value", "threat_id", "device_os", "type", "sensor_action", "process_name", "reason", "backend_timestamp","ttps" as alert_id, alert_url ,severity ,device_name, user,target_priority, incident_id, device_os, type, sensor_action, process_name, reason, backend_timestamp,ttps nodrop
| where type ="CB_ANALYTICS"
| where !(ttps matches "[]") AND !isNull(ttps)
| extract field=ttps "\"(?<indicators>.*?)\"(,|\])" multi nodrop
| count by alert_id
| count
_sourceCategory = CBCloud
| json field=_raw "event_origin", "event_id", "event_description", "alert_id", "process_cmdline" as event_origin, event_id, event_description, alert_id, process_cmdline
| where event_origin="NGAV"
| count by event_origin, event_id, event_description, alert_id, process_cmdline
Enterprise EDR
_sourceCategory = CBCloud
| json field=_raw "event_origin", "process_guid", "process_cmdline", "parent_cmdline", "process_username" as event_origin, process_guid, process_cmdline, parent_cmdline, process_username nodrop
| where event_origin="EDR"
| count by event_origin, process_guid, process_cmdline, parent_cmdline, process_username
_sourceCategory=CBCloud WATCHLIST
| json field=_raw "id", "alert_url" , "severity", "device_name","device_username", "device_target_value", "threat_id", "device_os", "type", "sensor_action", "process_name", "reason", "backend_timestamp","ioc_id" as alert_id, alert_url ,severity ,device_name, user,target_priority, incident_id, device_os, type, sensor_action, process_name, reason, backend_timestamp,ioc_id nodrop //s3
| where type ="WATCHLIST"
| count by alert_id
| count
Set up collection
To set up Cloud-to-Cloud Integration Carbon Black Cloud Source for the Carbon Black Cloud app, follow the instructions provided. These instructions will guide you through the process of creating a source using the Carbon Black Cloud source category, which you will need to use when installing the app. By following these steps, you can ensure that your Carbon Black Cloud app is properly integrated and configured to collect and analyze your Carbon Black Cloud data.
Installing the Carbon Black Cloud app
To install the app, do the following:
- Select App Catalog.
- In the 🔎 Search Apps field, run a search for your desired app, then select it.
- Click Install App.
note
Sometimes this button says Add Integration.
- Click Next in the Setup Data section.
- In the Configure section of your respective app, complete the following fields.
- Key. Select either of these options for the data source.
- Choose Source Category and select a source category from the list for Default Value.
- Choose Custom, and enter a custom metadata field. Insert its value in Default Value.
- Key. Select either of these options for the data source.
- Click Next. You will be redirected to the Preview & Done section.
Post-installation
Once your app is installed, it will appear in your Installed Apps folder, and dashboard panels will start to fill automatically.
Each panel slowly fills with data matching the time range query and received since the panel was created. Results will not immediately be available, but will update with full graphs and charts over time.
Upgrading the Carbon Black Cloud app (Optional)
To update the app, do the following:
- Select App Catalog.
- In the Search Apps field, search for and then select your app.
Optionally, you can identify apps that can be upgraded in the Upgrade available section. - To upgrade the app, click Upgrade.
- If the upgrade does not have any configuration or property changes, you will be redirected to the Preview & Done section.
- If the upgrade has any configuration or property changes, you will be redirected to Setup Data page.
- In the Configure section of your respective app, complete the following fields.
- Key. Select either of these options for the data source.
- Choose Source Category and select a source category from the list for Default Value.
- Choose Custom and enter a custom metadata field. Insert its value in Default Value.
- Key. Select either of these options for the data source.
- Click Next. You will be redirected to the Preview & Done section.
- In the Configure section of your respective app, complete the following fields.
Post-update
Your upgraded app will be installed in the Installed Apps folder, and dashboard panels will start to fill automatically.
See our Release Notes changelog for new updates in the app.
Uninstalling the Carbon Black Cloud app (Optional)
To uninstall the app, do the following:
- Select App Catalog.
- In the 🔎 Search Apps field, run a search for your desired app, then select it.
- Click Uninstall.
Viewing Carbon Black Cloud dashboards
All dashboards have a set of filters that you can apply to the entire dashboard. Use these filters to drill down and examine the data to a granular level.
- You can change the time range for a dashboard or panel by selecting a predefined interval from a drop-down list, choosing a recently used time range, or specifying custom dates and times. Learn more.
- You can use template variables to drill down and examine the data on a granular level. For more information, see Filter with template variables.
- Most Next-Gen apps allow you to provide the scope at the installation time and are comprised of a key (
_sourceCategoryby default) and a default value for this key. Based on your input, the app dashboards will be parameterized with a dashboard variable, allowing you to change the dataset queried by all panels. This eliminates the need to create multiple copies of the same dashboard with different queries.
Overview
The Carbon Black Cloud - Overview dashboard provides a high-level view of the state of your network infrastructure and systems. The panels highlight detected threats, hosts, top feeds and IOC’s, top processes, top watchlists, and alert trends.
Use this dashboard to:
- Monitor potential threats.
- Determine the top processes and threat indicators.
- Track alerts.
- Monitor hosts, users, watchlists and feeds.
Endpoint Standard - Overview
The Carbon Black Cloud - Endpoint Standard - Overview dashboard gives a quick overview of the Alerts, devices and TTPs.
Use this dashboard to:
- See a count of items of interest (Devices, Alerts, TTPs, etc.)
- An overview of top users, processes, and devices
Endpoint Standard - Alert Summary
The Carbon Black Cloud - Endpoint Standard - Alert Summary gives you summary of alerts in table format, and provides enriched data by correlating alerts with events metadata.
Endpoint Standard - Alerts
The Carbon Black Cloud - Endpoint Standard - Alerts dashboard provides insight into the Alert trends over time.
Use this dashboard to:
- See Alert trends over time by severity and category
- Top Alerted processes
- Alerts by OS
Endpoint Standard - Device
The Carbon Black Cloud - Endpoint Standard - Device dashboard gives an overview of the top alerting devices with breakdowns by OS and process.
Use this dashboard to:
- See top devices by Alerts
- See Alerts by device over time
- See a breakdown of devices by OS and Process counts
Endpoint Standard - TTPs
The Carbon Black Cloud - Endpoint Standard - TTPs dashboard provides a high level overview of the TTPs with breakdowns by TTP, Severity, Device, Process, and Threat Actors.
Use this dashboard to:
- See which TTPs are the most prevalent
- Identify any spikes in malicious activity
- Help tune new policies and reduce false positives
Enterprise EDR - Overview
The Carbon Black Cloud - Enterprise EDR - Overview dashboard gives a quick overview of the Alerts, devices and IOCs.
Use this dashboard to:
- See a count of items of interest (Devices, Alerts, IOCs, etc.)
- An overview of top users, processes, and devices
Enterprise EDR - Alert Summary
The Carbon Black - EDR - Alert Summary dashboard provides detailed information on the alerts in your environment, including alerts by mode, OS, report, and groups. The panels also show alert trends, recent alerts, and top users.
Use this dashboard to:
- Monitor alert activity and identify spikes.
- Monitor alerts triggered after a critical issue.
- Track users who trigger a high number of alerts.
Enterprise EDR - Alerts
The Carbon Black Cloud - Enterprise EDR - Alerts dashboard provides insight into the Alert trends over time.
Use this dashboard to:
- See Alert trends over time by severity and category
- Top Alerted processes
- Alerts by OS
Enterprise EDR - Device
The Carbon Black Cloud - Enterprise EDR - Device dashboard gives an overview of the top alerting devices with breakdowns by OS and process.
Use this dashboard to:
- See top devices by Alerts
- See Alerts by device over time
- See a breakdown of devices by OS and Process counts
Enterprise EDR - IOCs
The Carbon Black Cloud - Enterprise EDR - IOCs dashboard provides a high level overview of the IOCs with breakdowns by IOC, Severity, Device, Process, and Threat Actors.
Use this dashboard to:
- See which indicators are the most prevalent
- Identify any spikes in malicious activity
- Help tune new policies and reduce false positives
