VMware Carbon Black Integration
Overview
VMware Carbon Black Cloud provides next-gen antivirus and EDR with behavioral detection. KYRA MDR collects Carbon Black alerts and events via the Event Forwarder or API for centralized security monitoring.
Prerequisites
- A KYRA MDR Collector installed and running
- Carbon Black Cloud console or CB Response server access
- API key with appropriate permissions
- Carbon Black Event Forwarder (for on-premises)
Configuration
For Carbon Black Cloud, configure SIEM integration:
- Log in to the Carbon Black Cloud Console
- Navigate to Settings > Connectors > SIEM
- Generate a SIEM Connector API Key
- Configure the KYRA MDR collector:
sources: - type: carbon-black url: https://defense.conferdeploy.net org_key: <org-key> api_id: <api-id> api_secret: <api-secret> poll_interval: 60s- Restart the collector service
Collected Log Types
| Log Type | Description | Security Use |
|---|---|---|
| Alerts | Threat and policy alerts | Endpoint threat detection |
| Watchlist Hits | Custom IOC matches | Threat intelligence correlation |
| Feed Hits | Threat feed matches | Known malware detection |
| Process Events | Process execution data | Behavioral analysis, hunting |
| Network Events | Endpoint connections | Lateral movement detection |
| File Events | File modifications | Ransomware detection, forensics |
Troubleshooting
No alerts from Cloud: Verify the SIEM API key permissions include Alerts and Notifications.
Event Forwarder issues: For on-premises CB Response, ensure the Event Forwarder service is running and RabbitMQ connection is healthy.
Missing process events: Carbon Black Cloud requires an Enterprise EDR license for full process telemetry.
Contact kyra@seekerslab.com for support.