Skip to main content

CbDefense

Visualize Carbon Black endpoint agents and findings on devices, map the agents to devices and their owners, and monitor findings and changes to endpoints through queries and alerts.

Installation

To install this integration, you will need to configure settings both within Carbon Black and on JupiterOne. Before enabling in JupiterOne, ensure that you have completed the setup within your Carbon Black.

Carbon Black configuration

The Carbon Black integration connects directly to Carbon Black APIs to obtain details about device sensors/agents and active alerts. To authorize access, you will need to create a Connector and an API Key in your target PSC account. These credentials will need to be provided in JupiterOne.

In Carbon Black, you will first need to set up an Access Level and API Key in the Carbon Black Cloud Console to allow access to the Devices and Alerts APIs.

This can be done by:

  1. In Carbon Black, go to Settings > API Access > Access Levels: Add Access Level and provide the following details:
  • Name "JupiterOne Read Only" (or match your naming patterns)
  • Permissions: device: READ, org.alerts: READ, org.retention: READ
  1. Next, go to Settings > API Access > API Keys : Add API Key and create the access key with the following details:

  • Name "JupiterOne" (or match your naming patterns),

  • Access Level Type "Custom", "JupiterOne Read Only".

    note

    Capture the API Secret Key and API ID for input in JupiterOne.

With the Access Level and API Key now configured, you'll need to provide the parameters below for the integration instance in JupiterOne:

  • Org Key (orgKey): In Settings > API Access, capture the Org Key.
  • API ID (connectorId): Captured during API Key creation.
  • API Key (apiKey): Captured during API Key creation.

Optional

  • Deployment Site/Environment (site): The part immediately following defense- in your Carbon Black Cloud account URL. For example, if you access your account at https://defense-prod05.conferdeploy.net/, the site is prod05. See more details here.

Once you've collected the above information, head to JupiterOne to create the integration instance.

Configuration in JupiterOne

To install the Carbon Black integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select Carbon Black Cloud. Click New Instance to begin configuring your integration.

Creating a configuration requires the following:

  • The Account Name used to identify the Carbon Black account in JupiterOne. Ingested entities will have this value stored in tag.AccountName when the AccountName toggle is enabled.

  • Description to assist in identifying the integration instance, if desired.

  • Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as DISABLED and manually execute the integration.

  • Your Carbon Black Deployment Site and Org Key from the Carbon Black Console.

  • Lastly, the API ID and API Key generated for use with JupiterOne.

Click Create once all values are provided to finalize the integration.

Next steps

Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.