VMware Carbon Black Cloud
Integration version: 27.0
Use Cases
Ingest VMware Carbon Black Cloud events and alerts to use them to create Google Security Operations SOAR alerts.
In Google Security Operations SOAR, alerts can be used to perform orchestrations with playbooks or manual analysis.
Perform enrichment actions
Get data from VMware Carbon Black Cloud to enrich data in Google Security Operations SOAR Alerts.
Perform active actions
Schedule a scan, and quarantine a host using VMware Carbon Black Cloud agent from Google Security Operations SOAR.
Product Permission
Concepts required to access VMware Carbon Black Cloud APIs
- Service Hostname
- API Keys
- RBAC
- Organization Keys
To configure API Access for the VMware Carbon Black Cloud Google Security Operations SOAR Integration, see the "Configure API Access for VMware Carbon Black Cloud Google Security Operations SOAR integration" section.
Service Hostnames
There are two VMware Carbon Black Cloud hostnames:
- https://defense-
.conferdeploy.net/ - https://api-
.conferdeploy.net/
In addition, we have multiple environments such as prod02, prod04, prod05, etc.
For VMware Carbon Black Cloud API the following hostnames will be used: https://defense-
API Keys
VMware Carbon Black Cloud APIs and services are authenticated via API Keys. Users can view the API Key settings within the VMware Carbon Black Cloud Console under Settings > API Keys.
API keys include two parts:
- API Secret Key (previously API Key).
- API ID (previously Connector ID).
Authentication is passed to the API via the X-Auth-Token HTTP header.
- To generate the appropriate header, concatenate the API Secret Key with the API ID with a forward slash in between.
- For example, if the API Secret Key is ABCD and the API ID is 1234, the corresponding X-Auth-Token HTTP header will be: X-Auth-Token: ABCD/1234
All API requests must be authenticated by using an API Secret Key and a API ID. Unauthenticated requests return an HTTP 401 error.
To obtain an API Secret Key and API ID:
- Log into your VMware Carbon Black Cloud Organization.
- Navigate to Settings > API Keys.
- Click "Add API Key".
- Configure Name, Access Level, etc.
- Obtain your API Secret Key and API ID pair.
This allows an organization administrator to define an API Key and get access to the API Secret Key and API ID that will be required to authenticate the API request. In addition, administrators can restrict use of this API key to a specific set of IP addresses for security reasons.
API Key Access Levels
Currently there are four major access levels for API Keys available in the API Keys page. Each access level provides different access levels to API routes:
Custom Key Access Level: provides customizable authorization.
- Custom API Keys are a result of our role based access control efforts (RBAC).
- Allows customers to apply access controls and create least-privileged API keys.
- Custom API Keys can be assigned User Roles or Access Levels.
API Key Access Level: provides access to all APIs except for the Notifications API and the Live Response API.
SIEM Key Access Level: provides access to the Notifications API.
Live Response Key Access Level: provides access to all APIs available to (1) above plus the Live Response API.
Service to API Access Level Correlation
| API/Service Category | API Key Access Level(s) Permitted |
|---|---|
| PSC /appservices/* | Custom (with appropriate permissions) API |
Organization Keys
In addition to API Keys, many VMware Carbon Black Cloud APIs or services require an org_key in the API request path. This is to support customers that manage multiple orgs.
You can find your org_key in the VMware Carbon Black Cloud Console under Settings > API Keys.
Configure API Access for VMware Carbon Black Cloud Google Security Operations SOAR integration
To configure API Access for VMware Carbon Black Cloud Google Security Operations SOAR integration the following steps needs to be taken:
- Login VMware Carbon Black Cloud Console, go to Settings > API Access.
- On the API Access page, go to Access Levels.
- On Access Levels page, click + Add Access Level.
In the opened window, provide a name and description for the new Access Level and select permissions like on the screenshot below:
Go back to API Access tab.
Click "+ Add API Key" to create a new API key.
In the opened tab fill mandatory field and select the Access Level you configured on step 4:
Once you click Save, you will be shown API ID and API Secret Key. Please save those values, because they will be shown once.
Once the API ID and API Secret key are saved, the API Access in VMware Carbon Black Cloud is done.
Configure API Access for VMware Carbon Black Cloud Reputation Override
To configure API Access for VMware Carbon Black Reputation Override API the following steps needs to be taken:
- Login VMware Carbon Black Cloud Console, go to Settings > API Access.
- On the API Access page, go to Access Levels.
- On Access Levels page, select the API Level currently used for the VMware Carbon Black Cloud Integration.
- In the opened window, add the required permissions to the Access Level.
Known Issues and Limitations
For more information about limitations, see Configure Reputation Override.
Configure VMware Carbon Black Cloud integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Instance Name | String | N/A | No | Name of the Instance you intend to configure integration for. |
| Description | String | N/A | No | Description of the Instance. |
| API Root | String | https://defense.conferdeploy.net/ | Yes | Vmware Carbon Black Cloud API Root URL. |
| Organization Key | String | N/A | Yes | Vmware Carbon Black Cloud Organization Key. |
| API ID | String | N/A | Yes | Vmware Carbon Black Cloud API ID (Custom API Key ID). |
| API Secret Key | String | N/A | Yes | Vmware Carbon Black Cloud API Secret Key (Custom API Secret Key). |
| Verify SSL | Checkbox | Checked | No | If enabled, verify the SSL certificate for the connection to the Vmware Carbon Black Cloud server is valid. |
| Run Remotely | Checkbox | Unchecked | No | Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent). |
Actions
Ping
Description
Test connectivity to VMware Carbon Black Cloud with parameters provided at the integration configuration page on the Google Security Operations Marketplace tab.
Parameters
N/A
Use cases
The action is used to test connectivity at the integration configuration page in the Google Security Operations Marketplace tab. It can be executed as a manual action, not used in playbooks.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message | The action should not fail nor stop a playbook execution: If successful: "Successfully connected to the VMware Carbon Black Cloud server with the provided connection parameters!" The action should fail and stop a playbook execution: If not successful: "Failed to connect to the VMware Carbon Black Cloud server! Error is {0}".format(exception.stacktrace) |
General |
Enrich Entities
Description
Enrich Google Security Operations SOAR Host or IP entities based on the device information from the VMware Carbon Black Cloud.
Use cases
Enrich Google Security Operations SOAR host or IP entities with information from VMware Carbon Black Cloud, if the CB agent is installed on a respective IP or host entity.
During the processing of a possible malware infection alert that is associated with a host that has a VMware Carbon Black Cloud sensor, the user needs to have enrichment data from the VMware Carbon Black Cloud regarding this sensor and host it is installed on, to use this data in alert analysis. For example, from enrichment for Google Security Operations SOAR entity we can get: sensor status, what CB policy is set for sensor and others.
Run On
This action runs on the following entities:
- IP Address
- Host
Action Results
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| CB_Cloud.device_id | Always |
| CB_Cloud.antivirus_status | Always |
| CB_Cloud.antivirus_last_scan_time | If the information is displayed in the JSON Result |
| CB_Cloud.owner_email | If the information is displayed in the JSON Result |
| CB_Cloud.owner_first_name | If the information is displayed in the JSON Result |
| CB_Cloud.owner_last_name | If the information is displayed in the JSON Result |
| CB_Cloud.last_contact_time | Always |
| CB_Cloud._last_device_policy_changed_time | If the information is displayed in the JSON Result |
| CB_Cloud.last_external_ip_address | Always |
| CB_Cloud.last_internal_ip_address | Always |
| CB_Cloud.last_location | Always |
| CB_Cloud.full_device_name | Always |
| CB_Cloud.organization_id | Always |
| CB_Cloud.organization_name | Always |
| CB_Cloud.device_os | If the information is displayed in the JSON Result |
| CB_Cloud.device_os_version | If the information is displayed in the JSON Result |
| CB_Cloud.passive_mode | Always |
| CB_Cloud.device_policy_idAlways | Always |
| CB_Cloud.device_policy_name | Always |
| CB_Cloud.device_policy_override | If true |
| CB_Cloud.quarantined | Always |
| CB_Cloud.scan_status | If the information is displayed in the JSON Result |
| CB_Cloud.sensor_out_of_date | Always |
| CB_Cloud.sensor_states | Always |
| CB_Cloud.sensor_version | Always |
| CB_Cloud.device_status | Always |
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"results": [
{
"activation_code": null,
"activation_code_expiry_time": "2020-04-28T05:05:37.391Z",
"ad_group_id": 649,
"av_ave_version": null,
"av_engine": "",
"av_last_scan_time": null,
"av_master": false,
"av_pack_version": null,
"av_product_version": null,
"av_status": [
"AV_DEREGISTERED"
],
"av_update_servers": null,
"av_vdf_version": null,
"current_sensor_policy_name": "vmware-siemplify",
"deregistered_time": "2020-04-21T07:31:22.285Z",
"device_meta_data_item_list": [
{
"key_name": "OS_MAJOR_VERSION",
"key_value": "Windows 10",
"position": 0
},
{
"key_name": "SUBNET",
"key_value": "10.0.2",
"position": 0
}
],
"device_owner_id": 439953,
"email": "User",
"first_name": null,
"id": 3401539,
"last_contact_time": "2020-04-21T07:30:21.614Z",
"last_device_policy_changed_time": "2020-04-21T05:05:57.518Z",
"last_device_policy_requested_time": "2020-04-21T07:12:34.803Z",
"last_external_ip_address": "115.77.51.209",
"last_internal_ip_address": "10.0.2.15",
"last_location": "OFFSITE",
"last_name": null,
"last_policy_updated_time": "2020-04-09T11:19:01.371Z",
"last_reported_time": "2020-04-21T07:14:33.810Z",
"last_reset_time": null,
"last_shutdown_time": "2020-04-21T06:41:11.083Z",
"linux_kernel_version": null,
"login_user_name": null,
"mac_address": "000000000000",
"middle_name": null,
"name": "<span class='hlt1'>WinDev2003Eval</span>",
"organization_id": 1105,
"organization_name": "cb-internal-alliances.com",
"os": "WINDOWS",
"os_version": "Windows 10 x64",
"passive_mode": false,
"policy_id": 36194,
"policy_name": "vmware-siemplify",
"policy_override": false,
"quarantined": false,
"registered_time": "2020-04-21T05:05:37.407Z",
"scan_last_action_time": null,
"scan_last_complete_time": null,
"scan_status": null,
"sensor_kit_type": "WINDOWS",
"sensor_out_of_date": false,
"sensor_pending_update": false,
"sensor_states": [
"ACTIVE",
"LIVE_RESPONSE_NOT_RUNNING",
"LIVE_RESPONSE_NOT_KILLED",
"LIVE_RESPONSE_ENABLED",
"SECURITY_CENTER_OPTLN_DISABLED"
],
"sensor_version": "3.4.0.1097",
"status": "DEREGISTERED",
"target_priority": "MEDIUM",
"uninstall_code": "9EFCKADP",
"vdi_base_device": null,
"virtual_machine": false,
"virtualization_provider": "UNKNOWN",
"windows_platform": null
}
],
"num_found": 6
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message | The action should not fail nor stop a playbook execution: If successful and at least one of the provided entities are enriched: "Successfully enriched entities: {0}".format([entity.Identifier]). If fail to enrich all of the provided entities: "No entities were enriched." If fail to find data in VMware Carbon Black Cloud to enrich specific entities: "Action was not able to find VMware Carbon Black Cloud info to enrich the following entities: {0}".format([entity.identifier]) If the action found multiple matches in VMware Carbon Black Cloud for some Google Security Operations SOAR entities, first match was taken to enrich entities: "Multiple matches were found in VMware Carbon Black Cloud, taking first match for the following entities:/n {0}".format(entity.identifiers list) The action should fail and stop a playbook execution: If fatal error, like wrong credentials, no connection to server, other is reported: "Failed to execute Enrich Entities action! Error is {0}".format(exception.stacktrace) |
General |
Dismiss VMware Carbon Black Cloud Alert
Description
Dismiss VMware Carbon Black Cloud alert.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Alert ID | String | N/A | Yes | Alert ID to dismiss on VMware Carbon Black Cloud server. Specify alert id in format 27162661199ea9a043c11ea9a29a93652bc09fd, not in legacy_alert_id that is shown in UI as DONAELUN |
| Reason for dismissal | DropDownList | No dismissal reason | No | VMware Carbon Black Cloud reason for alert dismissal. |
| Message for alert dismissal | String | N/A | No | Message to add to alert dismissal. |
Use cases
Dismiss/Close VMware Carbon Black Cloud alert based on the analysis done in Google Security Operations SOAR.
After the alert was processed in Google Security Operations SOAR, to keep the alert status in sync between VMware Carbon Black Cloud and Google Security Operations SOAR, the user needs an action that will dismiss (close) VMware Carbon Black Cloud alert from Google Security Operations SOAR.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message | The action should not fail nor stop a playbook execution: If successful: "Successfully dismissed VMware Carbon Black Cloud alert with alert id {0}".format(alert_id) If is_success=false: "Failed to dismiss VMware Carbon Black Cloud alert! Error is {0}".format(exception.stacktrace) The action should fail and stop a playbook execution: If fatal error, like wrong credentials, no connection to server, other is reported: "Failed to execute Dismiss alert action! Error is {0}".format(exception.stacktrace) |
General |
Update a Policy for Device by Policy ID
Description
Change a policy on the VMware Carbon Black Cloud sensor on a host. The action scope is the IP Address or Host entity.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Policy ID | Integer | N/A | Yes | Specify a policy to associate with the VMware Carbon Black Cloud sensor. |
Use cases
Create a policy update task on VMware Carbon Black Cloud server from Google Security Operations SOAR.
During the analysis of alerts, that are related to a specific host that is managed by VMware Carbon Black Cloud, it was discovered that hosts have generated multiple false positive alerts in a short period of time. Because of this, the Google Security Operations SOAR user needs an action that will create a policy update task that will change the sensor policy to be less restrictive in this case.
Run On
This action runs on the following entities:
- IP Address
- Host
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful: "Successfully changed device policy to {0} for the following entities:\n {1}".format(policy_name, entity.Identifiers list) If is_success=false for all of the provided entities: "No tasks were created" If is_success=false for some of the provided entities because can't find related device in VMware Carbon Black Cloud: "Action was not able to find matching VMware Carbon Black Cloud devices for the following entities:\n {0}".format(entity.Identifiers list) If is_success=false for some of the provided entities because can't assign specified policy: "Action was not able assign policy {0} for VMware Carbon Black Cloud devices for the following entities:\n {1}".format(policy_id, entity.Identifiers list) If the action found multiple matches in VMware Carbon Black Cloud for some Google Security Operations SOAR entities, first match was taken to enrich entities: "Multiple matches were found in VMware Carbon Black Cloud, taking first match for the following entities:/n {0}".format(entity.identifiers list) The action should fail and stop a playbook execution: If fatal error, like wrong credentials, no connection to server, other is reported: "Failed to execute action! Error is {0}".format(exception.stacktrace) |
General |
Device Background Scan
Description
Create a device background scan task on VMware Carbon Black Cloud server based on the Google Security Operations SOAR IP Address or Host Google Security Operations SOAR entities.
Use cases
Create a background scan task for the host in question using VMware Carbon Black Cloud sensor from Google Security Operations SOAR.
During the analysis of alert, that is related to a specific host that is managed by VMware Carbon Black Cloud, it was discovered that the host is showing signs of being compromised. Because of this, the Google Security Operations SOAR user requested an on-demand background scan of the host, so if there are other suspicious executables on the host - sensor create alerts for those and the user will review those alerts in Google Security Operations SOAR.
Run On
This action runs on the following entities:
- IP Address
- Host
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful: "Successfully created a background scan task for the following entities:\n {0}".format( entity.Identifiers list) If is_success=false for all of the provided entities: "No tasks were created" If is_success=false for some of the provided entities because can't find related device in VMware Carbon Black Cloud: "Action was not able to find matching VMware Carbon Black Cloud devices for the following entities:\n {0}".format(entity.Identifiers list) If action found multiple matches in VMware Carbon Black Cloud for some Google Security Operations SOAR entities, first match was taken to enrich entities: "Multiple matches were found in VMware Carbon Black Cloud, taking first match for the following entities:/n {0}".format(entity.identifiers list) The action should fail and stop a playbook execution: If fatal error, like wrong credentials, no connection to server, other is reported: "Failed to execute action! Error is {0}".format(exception.stacktrace) |
General |
Enable Bypass Mode for Device
Description
Enable bypass mode task for a device on VMware Carbon Black Cloud server based on the Google Security Operations SOAR IP Address or Host entities.
Use cases
Create Enable Bypass Mode task on VMware Carbon Black Cloud server from Google Security Operations SOAR.
During the analysis of an alert, related to a specific platform sensor and host, it was discovered that the sensor creates a lot of false positive alerts, and to troubleshoot its behavior, we need to enable bypass mode for some period of time to track what events agent marks as alerts, to later update respective policies.
Run On
This action runs on the following entities:
- IP Address
- Host
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message | The action should not fail nor stop a playbook execution: If successful: "Successfully created enable bypass mode task for the following entities:\n {0}".format( entity.Identifiers list) If is_success=false for all of the provided entities: "No tasks were created" If is_success=false for some of the provided entities because can't find related device in VMware Carbon Black Cloud: "Action was not able to find matching VMware Carbon Black Cloud devices for the following entities:\n {0}".format(entity.Identifiers list) If the action found multiple matches in VMware Carbon Black Cloud for some Google Security Operations SOAR entities, first match was taken to enrich entities: "Multiple matches were found in VMware Carbon Black Cloud, taking first match for the following entities:/n {0}".format(entity.identifiers list) The action should fail and stop a playbook execution: If fatal error, like wrong credentials, no connection to server, other is reported: "Failed to execute action! Error is {0}".format(exception.stacktrace) |
General |
Disable Bypass Mode for Device
Description
Create disable bypass mode task for devices on the VMware Carbon Black Cloud server based on the Google Security Operations SOAR IP Address or Host entities.
Use cases
Create Disable Bypass Mode task on VMware Carbon Black Cloud server from Google Security Operations SOAR.
After enabling of bypass mode on a specific sensor and VMware Carbon Black Cloud configuration and policies troubleshooting, it was decided that the CB sensor is working as expected on specific host, because of it bypass mode needs to be disabled. Because of this, the Google Security Operations SOAR user executes the "Create Disable Bypass Mode task for Device" the action that will create a task for disabling bypass mode on a specific host on the VMware Carbon Black Cloud server from Google Security Operations SOAR.
Run On
This action runs on the following entities:
- IP Address
- Host
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful: "Successfully created disable bypass mode task for the following entities:\n {0}".format(entity.Identifiers list) If is_success=false for all of the provided entities: "No tasks were created" If is_success=false for some of the provided entities because can't find related device in VMware Carbon Black Cloud: "Action was not able to find matching VMware Carbon Black Cloud devices for the following entities:\n {0}".format(entity.Identifiers list) If the action found multiple matches in VMware Carbon Black Cloud for some Google Security Operations SOAR entities, first match was taken to enrich entities: "Multiple matches were found in VMware Carbon Black Cloud, taking first match for the following entities:/n {0}".format(entity.identifiers list) The action should fail and stop a playbook execution: If fatal error, like wrong credentials, no connection to server, other is reported: "Failed to execute action! Error is {0}".format(exception.stacktrace) |
General |
Quarantine Device
Description
Create quarantine device task on the VMware Carbon Black Cloud server based on the Google Security Operations SOAR IP Address or Host entities.
Use cases
Create Quarantine host task on VMware Carbon Black Cloud server from Google Security Operations SOAR.
During the analysis of an alert, that is related to a specific host that is managed by the VMware Carbon Black Cloud, it was discovered that the host is showing signs of being compromised. Because of this, the Google Security Operations SOAR user needs an action that will create a quarantine host task on the VMware Carbon Black Cloud server from Google Security Operations SOAR.
Run On
This action runs on the following entities:
- IP Address
- Host
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[
{
"Entity": "siemplify-xxxx",
"EntityResult": {
"status": "done"
}
}
]
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful: "Successfully created quarantine device task for the following entities:\n {0}".format(entity.Identifiers list) If is_success=false for all of the provided entities: "No tasks were created" If is_success=false for some of the provided entities because cant find related device in VMware Carbon Black Cloud: "Action was not able to find matching VMware Carbon Black Cloud devices for the following entities:\n {0}".format(entity.Identifiers list) If the action found multiple matches in VMware Carbon Black Cloud for some Google Security Operations SOAR entities, first match was taken to execute action: "Multiple matches were found in VMware Carbon Black Cloud, taking first match for the following entities:/n {0}".format(entity.identifiers list) The action should fail and stop a playbook execution: If fatal error, like wrong credentials, no connection to server, other is reported: "Failed to execute action! Error is {0}".format(exception.stacktrace) |
General |
Unquarantine Device
Description
Create an unquarantine device task on the VMware Carbon Black Cloud server based on the Google Security Operations SOAR IP Address or Host entities.
Use cases
Create Unquarantine host task on VMware Carbon Black Cloud server from Google Security Operations SOAR.
After the analysis and remediation of an alert, that is related to a specific host that is managed by the VMware Carbon Black Cloud, it was discovered that the host is no longer showing signs of compromise. Because of this, Google Security Operations SOAR User executes "Create Unquarantine device task" the action that will create an unquarantine host task on VMware Carbon Black Cloud server from Google Security Operations SOAR to enable the host in question back with network connectivity.
Run On
This action runs on the following entities:
- IP Address
- Host
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful: "Successfully created quarantine device task for the following entities:\n {0}".format(entity.Identifiers list) If is_success=false for all of the provided entities: "No tasks were created" If is_success=false for some of the provided entities because cant find related device in VMware Carbon Black Cloud: "Action was not able to find matching VMware Carbon Black Cloud devices for the following entities:\n {0}".format(entity.Identifiers list) If the action found multiple matches in VMware Carbon Black Cloud for some Google Security Operations SOAR entities, first match was taken to enrich entities: "Multiple matches were found in VMware Carbon Black Cloud, taking first match for the following entities:/n {0}".format(entity.identifiers list) The action should fail and stop a playbook execution: If fatal error, like wrong credentials, no connection to server, other is reported: "Failed to execute action! Error is {0}".format(exception.stacktrace |
General |
Execute Entity Processes Search
Description
Execute Carbon Black Cloud Process Search based on the Google Security Operations SOAR entity. This action can be used to search information about processes stored in Carbon Black Cloud with the action input parameters and following Google Security Operations SOAR entities: IP Address, Host, User, Hash, Process.
Run On
This action runs on the following entities:
- IP Address
- Host
- User
- Hash
- Process
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Start from Row | Integer | 0 | No | Specify from which row action should fetch data. |
| Max Rows to Return | Integer | 50 | No | Specify how many rows action should return. |
| Create Insight | Checkbox | Unchecked | No | If enabled, action will create a Google Security Operations SOAR insight based on process info from Carbon Black Cloud. |
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"results": [
{
"alert_category": [
"THREAT"
],
"alert_id": [
"19183229-384f-49a7-8ad7-87d0db243fcc",
"4dfc6aed-656d-41d1-9568-0de349d7a8b3",
"8eb04992-ed94-4471-8a71-fd78bad887de",
"ac3b3b3a-f4ce-41dc-9de8-123d5a1e2572",
"edc046a0-98f0-43eb-b3c0-a67469c11d19",
"f365a912-1d79-421e-bccb-f57b52100be8"
],
"backend_timestamp": "2021-02-02T18:38:46.520Z",
"childproc_count": 0,
"crossproc_count": 0,
"device_external_ip": "161.47.37.87",
"device_group_id": 0,
"device_id": 3602123,
"device_installed_by": "sadiya@acalvio.com",
"device_internal_ip": "172.26.115.53",
"device_location": "UNKNOWN",
"device_name": "desktop1-win10",
"device_os": "WINDOWS",
"device_os_version": "Windows 10 x64",
"device_policy": "test",
"device_policy_id": 32064,
"device_target_priority": "HIGH",
"device_timestamp": "2020-08-19T16:31:20.887Z",
"document_guid": "sF1Ug1--SEyLWljQrWe8NA",
"event_threat_score": [
6
],
"filemod_count": 0,
"ingress_time": 1612291119946,
"modload_count": 0,
"netconn_count": 0,
"org_id": "7DESJ9GN",
"parent_effective_reputation": "KNOWN_MALWARE",
"parent_guid": "7DESJ9GN-0036f6cb-000026d4-00000000-1d676428bd025e2",
"parent_hash": [
"86deb998e6b628755a1049a54b8863d32752d6176fb1ef3b7c4ee08c1f25edbc"
],
"parent_name": "c:\\windows\\system32\\windowspowershell\\v1.o\\powershell.exe",
"parent_pid": 9940,
"parent_reputation": "KNOWN_MALWARE",
"process_cmdline": [
"powershell.exe -ep bypass"
],
"process_cmdline_length": [
25
],
"process_effective_reputation": "COMPANY_BLACK_LIST",
"process_guid": "7DESJ9GN-0036f6cb-000005b8-00000000-1d676428bdf1285",
"process_hash": [
"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
"cda48fc75952ad12d99e526d0b6bf70a"
],
"process_name": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
"process_pid": [
1464
],
"process_reputation": "COMPANY_BLACK_LIST",
"process_sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
"process_start_time": "2020-08-19T16:05:24.057Z",
"process_username": [
"DESKTOP1-WIN10\\acalvio"
],
"regmod_count": 0,
"scriptload_count": 0,
"watchlist_hit": [
"BeCXz92RjiQxN1PnYlM6w:SdJksR9SsWuLCJNeBsNPw:10",
"BeCXz92RjiQxN1PnYlM6w:s24xyq8SFapmQEMXv9yw:7",
"BeCXz92RjiQxN1PnYlM6w:s24xyq8SFapmQEMXv9yw:8"
]
}
],
"num_found": 1,
"num_available": 1,
"approximate_unaggregated": 6,
"num_aggregated": 6,
"contacted": 47,
"completed": 47
}
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| IsSuspicous | Should be set to True if in returned data there is alert_category equal to THREAT and there is a list of alert_ids associated with process. |
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful and at least for one of the provided entities process data returned: "Process information was found for the following entities: {0}".format([entity.Identifier]). If fail to find process info for all of the provided entities: "Process information was not found for all of the provided entities." If fail to find process data in CB Cloud specific entities: "Action was not able to find process information for the following provided entities: {0}".format([entity.identifier]) The action should fail and stop a playbook execution: If fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Execute Entity Processes Search". Reason: {0}''.format(error.Stacktrace) |
General |
| CSV Table | Table Name: entity.identifier VMware Carbon Black Cloud Process Search Results Table columns: "alert_category" "Alert_id" "device_external_ip": "device_group_id" "device_id" "device_internal_ip" "device_location" "device_name" "device_os" "device_os_version" "device_policy" "event_threat_score" "parent_effective_reputation" "parent_guid" "Parent_hash" "parent_name" "parent_pid": "Parent_reputation" "process_cmdline" "process_effective_reputation" "process_guid" "Process_hash" "Process_name" "process_pid" "process_reputation" "Process_sha256" "process_start_time" "process_username" "watchlist_hit" |
Entity |
List Reputation Overrides
Description
List reputation overrides configured in VMware Carbon Black Cloud. Note that this action is not working on Google Security Operations SOAR entities.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Reputation Override List | DDL | Not Specified Possible values:
|
No | Specify override list action should return. |
| Reputation Override Type | DDL | Not Specified Possible values:
|
No | Specify override type action should return. |
| Start from Row | Integer | 0 | No | Specify from which row action should fetch data. |
| Max Rows to Return | Integer | 50 | No | Specify how many rows action should return. |
| Rows Sort Order | DDL | ASC Possible values:
|
Specify sort order for the returned rows. Rows are sorted based on "create_time" value. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result - for certificate
{
"num_found": 2,
"results": [
{
"id": "6b040826d43a11eb85899b2a3fb7559d",
"created_by": "TPiedrahita@absolute.com",
"create_time": "2021-06-23T15:48:13.355Z",
"override_list": "WHITE_LIST",
"override_type": "CERT",
"description": "",
"source": "APP",
"source_ref": null,
"signed_by": "Absolute Software Corp.",
"certificate_authority": "Symantec Class 3 SHA256 Code Signing CA"
}
]
}
JSON Result - for SHA-256
{
"num_found": 25,
"results": [
{
"id": "0a0d2bf89d4d11ebbef6695028ab76fe",
"created_by": "I2TK7ET355",
"create_time": "2021-04-14T18:12:57.161Z",
"override_list": "WHITE_LIST",
"override_type": "SHA256",
"description": "Test Data",
"source": "APP",
"source_ref": null,
"sha256_hash": "f6a55db64b3369e7e0ce9abe8046c89ff3714c15c3174f04c10390c17af16f0e",
"filename": null
}
]
}
JSON Result - for IT Tool
{
"id": "067ebeeaf03311eb8bb20bf76c87cd52",
"created_by": "HZ9PEI2E3L",
"create_time": "2021-07-29T06:05:50.790Z",
"override_list": "BLACK_LIST",
"override_type": "IT_TOOL",
"description": "An override for an IT_TOOL",
"source": "APP",
"source_ref": null,
"path": "C:\\TMP\\TMP\\TMP\\foo.exe",
"include_child_processes": false
}
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful and at least one row returned: "Reputation overrides found" If action run successfully but no rows returned (is_sucsess=false): "No reputation overrides found" The action should fail and stop a playbook execution: If fatal error, SDK error, like wrong credentials, no connection to server, other is reported: "Error executing action "List Reputation Overrides". Reason: {0}''.format(error.Stacktrace) |
General |
| Table | SHA-256 Table Name: Found SHA-256 Reputation Overrides: Table Columns:
CERT Table Name: Found CERT Reputation Overrides: Table Columns:
IT_TOOL Table Name: Found IT_TOOL Reputation Overrides: Table Columns:
|
General |
Create a Reputation Override for Certificate
Description
Create a Reputation Override for the certificate. Note that this action is not working on Google Security Operations SOAR entities.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Certificate Authority | String | N/A | No | Specify the Certificate Authority that authorizes the validity of the certificate to add to reputation override. |
| Signed By | String | N/A | Yes | Specify the name of the signer to add to reputation override. |
| Description | String | N/A | No | Specify a description for the created reputation override. |
| Reputation Override List | DDL | Not Specified | Yes | Specify override list to create. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"id": "fb19756cf03311eb81e9bf7658b8ce59",
"created_by": "HZ9PEI2E3L",
"create_time": "2021-07-29T06:12:41.168Z",
"override_list": "WHITE_LIST",
"override_type": "CERT",
"description": "An override for a CERT",
"source": "APP",
"source_ref": null,
"signed_by": "Test signer for override",
"certificate_authority": "test cert ca"
}
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful (is_success=true): "Successfully created new reputation override: {0}".format(reputation override id). If failed to create override (is_success=false), API returns an error: "Action failed to create a new certificate reputation override. Reason: <error_message>" The action should fail and stop a playbook execution: If the "Reputation Override List" parameter value is not changed from the default "Not Specified" value: "Error executing action because Reputation Override List is not specified." If fatal error, SDK error, like wrong credentials, no connection to server, other is reported: "Error executing action "Create a Reputation Override for Certificate". Reason: {0}''.format(error.Stacktrace) |
General |
Create a Reputation Override for SHA-256 Hash
Description
Create a Reputation Override for the provided hash in the SHA-256 format.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| SHA-256 Hash | String | N/A | No | Specify a SHA-256 hash value to create override for. |
| Filename | String | N/A | Yes | Specify a corresponding file name to add to reputation override. |
| Description | String | N/A | No | Specify a description for the created reputation override. |
| Reputation Override List | DDL | Not Specified | Yes | Specify override list to create. |
Run On
This action runs on the FileHash entity if it's provided.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"id": "1ea6c923f03211eb83cf87b4dce84539",
"created_by": "HZ9PEI2E3L",
"create_time": "2021-07-29T05:59:21.821Z",
"override_list": "BLACK_LIST",
"override_type": "SHA256",
"description": "An override for a sha256 hash",
"source": "APP",
"source_ref": null,
"sha256_hash": "af62e6b3d475879c4234fe7bd8ba67ff6544ce6510131a069aaac75aa92aee7a",
"filename": "foo.exe"
}
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful for one of the provided entities (is_success=true): "Successfully created reputation override for the following entities: {0}".format([entity.Identifier list]). If failed to create override for one of the entities (is_success=false), API returns an error: "Action failed to to create reputation override for the following entities: <entity list> + <corresponding api_error>" If all of the provided entities failed (is_success=false): "No reputation overrides were created." The action should fail and stop a playbook execution: If incorrect hash format is provided (not SHA-256): "Error executing action because wrong hash format was provided. Action is working only with Sha-256 hashes." If the "Reputation Override List" parameter value is not changed from the default "Not Specified" value: "Error executing action because Reputation Override List is not specified." If fatal error, SDK error, like wrong credentials, no connection to server, other is reported: "Error executing action "Create a Reputation Override for SHA-256 Hash". Reason: {0}''.format(error.Stacktrace) |
General |
Create a Reputation Override for IT Tool
Description
Create a Reputation Override for the specific IT Tool based on a file name and path.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| File Name | String | N/A | No | Specify a corresponding file name to add to reputation override. |
| File Path | String | N/A | Yes | Specify a file path where corresponding IT Tool is stored on disk to add to reputation override. Example format: "C\\TMP\\" |
| Include Child Processes | Checkbox | Unchecked | No | If enabled, include IT Tool's child processes on approved list. |
| Description | String | N/A | No | Specify a description for the created reputation override. |
| Reputation Override List | DDL | Not Specified | Yes | Specify override list to create. |
Run On
This action runs on the File entity if it's provided.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"id": "067ebeeaf03311eb8bb20bf76c87cd52",
"created_by": "HZ9PEI2E3L",
"create_time": "2021-07-29T06:05:50.790Z",
"override_list": "BLACK_LIST",
"override_type": "IT_TOOL",
"description": "An override for an IT_TOOL",
"source": "APP",
"source_ref": null,
"path": "C:\\TMP\\TMP\\TMP\\foo.exe",
"include_child_processes": false
}
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful for one of the provided entities (is_success=true): "Successfully created reputation override for the following entities: {0}".format([entity.Identifier list]). If failed to create override for one of the entities (is_success=false), API returns an error: "Action failed to to create reputation override for the following entities: <entity list> + <corresponding api_error>" If all of the provided entities failed (is_success=false): "No reputation overrides were created." The action should fail and stop a playbook execution: If the "Reputation Override List" parameter value is not changed from the default "Not Specified" value: "Error executing action because Reputation Override List is not specified." If fatal error, SDK error, like wrong credentials, no connection to server, other is reported: "Error executing action "Create a Reputation Override for IT Tool". Reason: {0}''.format(error.Stacktrace) |
General |
Delete a Reputation Override
Description
Delete a Reputation Override based on the provided reputation override ID. Note that action is not working on the Google Security Operations SOAR entities.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Reputation Override ID | String | N/A | Yes | Specify a Reputation Override ID to delete. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful (is_success=true): "Successfully deleted reputation override {0}".format(reputation override). If failed to delete override (is_success=false), API returns an error: "Action failed to delete reputation override <reputation_override id>. Reason: <error_message>" The action should fail and stop a playbook execution: If fatal error, SDK error, like wrong credentials, no connection to server, other is reported: "Error executing action "Delete a Reputation Override". Reason: {0}''.format(error.Stacktrace) |
General |
List Host Vulnerabilities
Description
List vulnerabilities found on the host in Сarbon Black Cloud.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Severity Filter | CSV | N/A | No | Specify the comma-separated list of severities for vulnerabilities. If nothing is provided, the action ingests all related vulnerabilities. Possible values: Critical, Important, Moderate, Low. |
| Max Vulnerabilities To Return | Integer | 100 | No | Specify the number of vulnerabilities to return per host. If nothing is provided, the action processes all of the related vulnerabilities. |
Run on
This action runs on the following entities:
- IP Address
- Hostname
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"statistics": {
"total": 123,
"severity": {
"critical": 1,
"high": 1,
"moderate": 1,
"low": 1
}
},
"details": [
{
"os_product_id": "161_0",
"category": "OS",
"os_info": {
"os_type": "WINDOWS",
"os_name": "Microsoft Windows 10 Enterprise",
"os_version": "10.0.10240",
"os_arch": "64-bit"
},
"product_info": {
"vendor": null,
"product": null,
"version": null,
"release": null,
"arch": null
},
"vuln_info": {
"cve_id": "CVE-2015-2534",
"cve_description": "Hyper-V in Microsoft Windows 8.1, Windows Server 2012 R2, and Windows 10 improperly processes ACL settings, which allows local users to bypass intended network-traffic restrictions via a crafted application, aka \"Hyper-V Security Feature Bypass Vulnerability.\"",
"risk_meter_score": 0.9,
"severity": "LOW",
"fixed_by": "KB3091287",
"solution": null,
"created_at": "2015-09-09T00:59:00Z",
"nvd_link": "https://nvd.nist.gov/vuln/detail/CVE-2015-2534",
"cvss_access_complexity": null,
"cvss_access_vector": null,
"cvss_authentication": null,
"cvss_availability_impact": null,
"cvss_confidentiality_impact": null,
"cvss_integrity_impact": null,
"easily_exploitable": null,
"malware_exploitable": null,
"active_internet_breach": null,
"cvss_exploit_subscore": null,
"cvss_impact_subscore": null,
"cvss_vector": null,
"cvss_v3_exploit_subscore": null,
"cvss_v3_impact_subscore": null,
"cvss_v3_vector": null,
"cvss_score": null,
"cvss_v3_score": null
},
"device_count": 1,
"affected_assets": null
},
{
"os_product_id": "161_0",
"category": "OS",
"os_info": {
"os_type": "WINDOWS",
"os_name": "Microsoft Windows 10 Enterprise",
"os_version": "10.0.10240",
"os_arch": "64-bit"
},
"product_info": {
"vendor": null,
"product": null,
"version": null,
"release": null,
"arch": null
},
"vuln_info": {
"cve_id": "CVE-2017-8554",
"cve_description": "The kernel in Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an authenticated attacker to obtain memory contents via a specially crafted application.",
"risk_meter_score": 0.9,
"severity": "LOW",
"fixed_by": "KB5016639",
"solution": null,
"created_at": "2017-06-29T13:29:00Z",
"nvd_link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8554",
"cvss_access_complexity": null,
"cvss_access_vector": null,
"cvss_authentication": null,
"cvss_availability_impact": null,
"cvss_confidentiality_impact": null,
"cvss_integrity_impact": null,
"easily_exploitable": null,
"malware_exploitable": null,
"active_internet_breach": null,
"cvss_exploit_subscore": null,
"cvss_impact_subscore": null,
"cvss_vector": null,
"cvss_v3_exploit_subscore": null,
"cvss_v3_impact_subscore": null,
"cvss_v3_vector": null,
"cvss_score": null,
"cvss_v3_score": null
},
"device_count": 1,
"affected_assets": null
}
]
}
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful for one host (is_success=true): "Successfully retrieved vulnerabilities for the following hosts: {entities}". If no vulnerabilities are found for one host (is_success=true): "No vulnerabilities were found for the following hosts: {entities}". If no vulnerabilities are found for all hosts (is_success=false): "No vulnerabilities were found." The action should fail and stop a playbook execution: If not successful: "Error executing action "{}". Reason: " {0}".format(exception.stacktrace) If an invalid value is provided for the "Severity Filter" parameter: "Error executing action "{}". Reason: Invalid value provided in the "Severity Filter parameter. Possible values: Critical, High, Medium, Low, Unknown."".format(exception.stacktrace) |
General |
| Case Wall | Columns:
|
Entity |
Connectors
Connectors overview
- Alert Connector is the first connector created for the integration, it uses the same CB alert data for Google Security Operations SOAR alert and event, completely missing CB event data. Which is a major disadvantage for this connector and a reason it marked as deprecated, with recommendation of using Baseline or Tracking connector.
- Baseline Connector fetches from CB both alerts and events, but due to the fact that alerts in CB can "evolve" other time, new events can be added to alert, it does not monitor CB alerts if new events are added to alert or not. It gets the alerts that reaches a specific "baseline" - THREAT CB category by default (configured with Google Security Operations SOAR connector whitelist), ingests the alerts, and not monitoring CB alerts update with new events.
- Tracking Connector is similar with the Baseline that it gets from CB both alerts and events, but also monitores if new events are added to already ingested alerts. It works similar to Qradar connectors, it fetches alerts, but if CB alert was added a new event, it creates a new Google Security Operations SOAR alert with those new events that were added to CB alert.
Configure VMware Carbon Black Cloud connectors in Google Security Operations SOAR
For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.
To configure the selected connector use the connector-specific parameters listed in the following tables:
- VMware Carbon Black Cloud Alerts Connector configuration parameters
- VMware Carbon Black Cloud Alerts and Events Baseline Connector configuration parameters
- VMware Carbon Black Cloud Alerts and Events Tracking Connector configuration parameters
VMware Carbon Black Cloud Alerts Connector
Description
The Connector periodically connects to the VMware Carbon Black Cloud API endpoint and pulls a list of alerts generated for a specific time period. If there are new alerts present, then the Connector creates Google Security Operations SOAR alerts based on the Carbon Black Cloud alerts and saves the Connector timestamp as the last successfully ingested alert time. In the next Connector execution, the Connector will query the Carbon Black API only for alerts, created from timestamp. If there are no new alerts found - finish the current execution.
The Connector checks for the overflow in the alerts and should not create Google Security Operations SOAR alerts from the duplicate alerts that came from the Carbon Black Cloud - those alerts should be marked as overflow.
Test Mode: The Connector has a test mode for debugging/troubleshooting purposes. In test mode the Connector should:
- not update the last run timestamp.
- fetch alerts based on the specified in the connector parameters amount of hours to pull alerts for.
- return a single alert for ingestion.
Encrypted Communications: The Connector supports encrypted communications (SSL/TLS).
Proxy support: The Connector supports connection to the API endpoints using proxy for HTTPS traffic.
Unicode support: The Connector supports Unicode encoding for the alerts processed.
Use cases
Get alerts from VMware Carbon Black Cloud as Google Security Operations SOAR alerts for analysis in Google Security Operations SOAR platform.
API permissions
The Carbon Black Connector uses the same API credentials as the integration, see the Product Permission section.
Connector parameters
Use the following parameters to configure the connector:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Environment | DDL | N/A | Yes | Select the required environment. For example, "Customer One". In case that the alert's Environment field is empty, this alert will be injected to this environment. |
| Run Every | Integer | 0:0:0:10 | No | Select the time to run the connection. |
| Product Field Name | String | ProductName | Yes | Describes the name of the field where the product name is stored. |
| Event Field Name | String | AlertName | Yes | Describes the name of the field where the event name is stored. |
| Event Class ID | String | AlertName | No | The field name used to determine the event name (sub-type) |
| Python Process Timeout | String | 180 | Yes | The timeout limit (in seconds) for the python process running current script. |
| Environment Field Name | String | "" | No | Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is "". |
| Environment Regex Pattern | String | .* | No | A regex pattern to run on the value found in the "Environment Field Name" field. Default is .* to catch all and return the value unchanged. Used to allow the user to manipulate the environment field via regex logic If the regex pattern is null or empty, or the environment value is null, the final environment result is "". |
| API Root | String | N/A | Yes | Vmware Carbon Black Cloud API Root URL. |
| Organization Key | String | N/A | Yes | Vmware Carbon Black Cloud Organization Key. |
| API ID | String | N/A | Yes | Vmware Carbon Black Cloud API ID (Custom API Key ID). |
| API Secret Key | String | N/A | Yes | Vmware Carbon Black Cloud API Secret Key (Custom API Secret Key). |
| Offset time in hours | Integer | 24 | Yes | Fetch alerts from X hours backwards. |
| Max Alerts Per Cycle | Integer | 10 | Yes | How many alerts should be processed during one connector run. |
| Minimum Severity to Fetch | Integer | N/A | No | Minimum severity of Carbon Black Cloud alert to be ingested to Google Security Operations SOAR. |
| What Alert Field to use for Name field | String | category | Yes | What Carbon Black Cloud alert field should be used for the Google Security Operations SOAR Alert Name field. Possible values are: type, category, policy_name. |
| What Alert Field to use for Rule Generator | String | type | Yes | What Carbon Black Cloud alert field should be used for the Google Security Operations SOAR Alert Rule Generator field. Possible values are: type, category, policy_name. |
| Proxy Server Address | IP_OR_HOST | N/A | No | Proxy server to use for connection. |
| Proxy Server Username | String | N/A | No | Proxy server username. |
| Proxy Server Password | Password | N/A | No | Proxy server password. |
Connector rules
Proxy support
The connector supports proxy.
Whitelist/Blacklist
The connector doesn't support Whitelist / Blacklist.
VMware Carbon Black Cloud Alerts and Events Baseline Connector
Description
Google Security Operations SOAR VMware Carbon Black Cloud Baseline Connector should be used to fetch Carbon Black Cloud Alerts and related Events for Alerts that reached specific baseline - for the baseline target CB Cloud alerts categories should be added to the connector whitelist section. By default the connector ingests CB Cloud Alert once it has a "Threat" category value assigned.
Alert Name and Rule Generator Google Security Operations SOAR fields customization
The connector provides an option to customize Google Security Operations SOAR Alert Name and Rule Generator field values through templates. For more information, see the related connector's parameter description. For templates, the connector gets data from the Carbon Black Cloud Alerts data returned from the API.
Here is an example of the Carbon Black Cloud Alert data that is returned from the API. It references the fields available in the alert and can be used for templates:
{
"id": "aa751d91-6623-1a6b-8b4a-************",
"legacy_alert_id": "aa751d91-6623-1a6b-8b4a-************",
"org_key": "7DE****",
"create_time": "2022-03-22T18:12:48.593Z",
"last_update_time": "2022-03-22T18:13:12.504Z",
"first_event_time": "2022-03-22T15:16:01.015Z",
"last_event_time": "2022-03-22T15:45:25.316Z",
"threat_id": "31c53f050ca571be0af1b29f2d06****",
"severity": 5,
"category": "THREAT",
"device_id": 131****,
"device_os": "WINDOWS",
"device_os_version": "Windows 10 x64",
"device_name": "**********",
"device_username": "Administrator",
"policy_name": "default",
"target_value": "MEDIUM",
"workflow": {
"state": "OPEN",
"remediation": null,
"last_update_time": "2022-03-22T18:12:48.593Z",
"comment": null,
"changed_by": "Carbon Black"
},
"notes_present": false,
"tags": null,
"policy_id": 6525,
"reason": "The application windowsazureguestagent.exe invoked another application (arp.exe).",
"reason_code": "T_RUN_ANY",
"process_name": "waappagent.exe",
"device_location": "OFFSITE",
"created_by_event_id": "a44e00b5aa0b11ec9973f78f4c******",
"threat_indicators": [
{
"process_name": "waappagent.exe",
"sha256": "a5664303e573266e0f9e5fb443609a7eb272f64680c38d78bce110384b37faca",
"ttps": [
"ATTEMPTED_CLIENT",
"COMPANY_BLACKLIST",
"MITRE_T1082_SYS_INF_DISCOVERY",
"MITRE_T1106_NATIVE_API",
"MITRE_T1571_NON_STD_PORT",
"NON_STANDARD_PORT",
"RUN_ANOTHER_APP",
"RUN_SYSTEM_APP"
]
},
{
"process_name": "services.exe",
"sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674",
"ttps": [
"RUN_BLACKLIST_APP"
]
},
{
"process_name": "svchost.exe",
"sha256": "f3feb95e7bcfb0766a694d93fca29eda7e2ca977c2395b4be75242814eb6d881",
"ttps": [
"COMPANY_BLACKLIST",
"MODIFY_MEMORY_PROTECTION",
"RUN_ANOTHER_APP",
"RUN_SYSTEM_APP"
]
},
{
"process_name": "windowsazureguestagent.exe",
"sha256": "9a9f62a1c153bdb7bbe8301c6d4f1abfad6035cfe7b6c1366e3e0925de6387c3",
"ttps": [
"ATTEMPTED_CLIENT",
"COMPANY_BLACKLIST",
"MITRE_T1082_SYS_INF_DISCOVERY",
"MITRE_T1106_NATIVE_API",
"MITRE_T1571_NON_STD_PORT",
"NON_STANDARD_PORT",
"RUN_ANOTHER_APP",
"RUN_SYSTEM_APP"
]
}
],
"threat_activity_dlp": "NOT_ATTEMPTED",
"threat_activity_phish": "NOT_ATTEMPTED",
"threat_activity_c2": "NOT_ATTEMPTED",
"threat_cause_actor_sha256": "9a9f62a1c153bdb7bbe8301c6d4f1abfad6035cfe7b6c1366e3e0925de6387c3",
"threat_cause_actor_name": "windowsazureguestagent.exe",
"threat_cause_actor_process_pid": "3504-132914439190103761-0",
"threat_cause_process_guid": "7DESJ9GN-004fd50b-00000db0-00000000-1d834fa6d7246d1",
"threat_cause_parent_guid": null,
"threat_cause_reputation": "TRUSTED_WHITE_LIST",
"threat_cause_threat_category": null,
"threat_cause_vector": "UNKNOWN",
"threat_cause_cause_event_id": "a74fa7a3aa0b11ec9b401dea771569d9",
"blocked_threat_category": "UNKNOWN",
"not_blocked_threat_category": "NON_MALWARE",
"kill_chain_status": [
"INSTALL_RUN"
],
"sensor_action": null,
"run_state": "RAN",
"policy_applied": "NOT_APPLIED",
"type": "CB_ANALYTICS",
"alert_classification": null
}
Connector parameters
Use the following parameters to configure the connector:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Product Field Name | String | ProductName | Yes | Describes the name of the field where the product name is stored. |
| Event Field Name | String | AlertName | Yes | Describes the name of the field where the event name is stored. |
| Environment Field Name | String | "" | No | Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is "". |
| Environment Regex Pattern | String | .* | No | A regex pattern to run on the value found in the "Environment Field Name" field. Default is .* to catch all and return the value unchanged. Used to allow the user to manipulate the environment field via regex logic If the regex pattern is null or empty, or the environment value is null, the final environment result is "". |
| API Root | String | https://defense.conferdeploy.net | Yes | Vmware Carbon Black Cloud API Root URL |
| Organization Key | String | N/A | Yes | Vmware Carbon Black Cloud Organization Key, Eg. 7DDDD9DD |
| API ID | String | N/A | Yes | Vmware Carbon Black Cloud API ID (Custom API Key ID) |
| API Secret Key | String | N/A | Yes | Vmware Carbon Black Cloud API Secret Key (Custom API Secret Key) |
| Offset time in hours | Integer | 24 | Yes | Fetch alerts from X hours backwards. |
| Max Alerts Per Cycle | Integer | 10 | Yes | How many alerts should be processed during one connector run. |
| Minimum Severity to Fetch | Integer | N/A | No | Minimum severity of Carbon Black Cloud alert to be ingested to Google Security Operations SOAR, for example, 4 or 7 |
| What Alert Field to use for Name field | String | category | Yes | What Carbon Black Cloud alert field should be used for the Google Security Operations SOAR Alert Name field. Possible values are: type, category, policy_name |
| What Alert Field to use for Rule Generator | String | type | Yes | What Carbon Black Cloud alert field should be used for the Google Security Operations SOAR Alert Rule Generator field. Possible values are: type, category, policy_name |
| Alert Reputation to Ingest | String | NOT_LISTED, SUSPECT_MALWARE, UNKNOWN, ADAPTIVE_WHITE_LIST | Yes | What Carbon Black Cloud alert reputation alert can have to be ingested. Parameter accepts multiple values as a comma separated string. |
| Event Limit to Ingest per Alert | Integer | 25 | Yes | Specify how many events can be ingested per single CB Cloud alert. |
| Use whitelist as a blacklist | Checkbox | Unchecked | Yes | If enabled, whitelist will be used as a blacklist. |
| Proxy Server Address | IP_OR_HOST | N/A | No | Proxy server to use for connection. |
| Proxy Server Username | String | N/A | No | Proxy server username. |
| Proxy Server Password | Password | N/A | No | Proxy server password. |
| Alert Name Template | String | N/A | No | If specified, the connector uses this value from the Carbon Black Cloud API response for alert data for Siemplify Alert Name. You can provide placeholders in the following format: [name of the field]. Example: CBCLOUD Alert - [reason]. Note: The maximum length for the field is 256 characters. If nothing is provided or the user provides an invalid template, the connector uses the default alert name. |
| Rule Generator Template | String | N/A | No | If specified, the connector uses this value from the Carbon Black Cloud API response for alert data for Siemplify Rule Generator. You can provide placeholders in the following format: [name of the field]. Example: CBCLOUD - [reason]. Note: The maximum length for the field is 256 characters. If nothing is provided or the user provides an invalid template, the connector uses the default rule generator value. |
Connector rules
Proxy support
The connector supports proxy.
VMware Carbon Black Cloud Alerts and Events Tracking Connector
Description
Google Security Operations SOAR VMware Carbon Black Cloud Tracking Connector should be used to fetch Carbon Black Cloud Alerts and related Events with ability to additionally fetch new Carbon Black events that are added to the already processed alerts - it will create additional Google Security Operations SOAR alert if new events are found for the already processed Carbon Black Cloud Alert.
Alert Name and Rule Generator Google Security Operations SOAR Fields Customization
The connector provides an option to customize Google Security Operations SOAR Alert Name and Rule Generator field values through templates. For more information, see the related connector's parameter description. For templates, the connector gets data from the Carbon Black Cloud Alerts data returned from the API.
Here is an example of the Carbon Black Cloud Alert data that is returned from the API. It references the fields available in the alert and can be used for templates:
{
"id": "aa751d91-6623-1a6b-8b4a-************",
"legacy_alert_id": "aa751d91-6623-1a6b-8b4a-************",
"org_key": "7DE****",
"create_time": "2022-03-22T18:12:48.593Z",
"last_update_time": "2022-03-22T18:13:12.504Z",
"first_event_time": "2022-03-22T15:16:01.015Z",
"last_event_time": "2022-03-22T15:45:25.316Z",
"threat_id": "31c53f050ca571be0af1b29f2d06****",
"severity": 5,
"category": "THREAT",
"device_id": 131****,
"device_os": "WINDOWS",
"device_os_version": "Windows 10 x64",
"device_name": "**********",
"device_username": "Administrator",
"policy_name": "default",
"target_value": "MEDIUM",
"workflow": {
"state": "OPEN",
"remediation": null,
"last_update_time": "2022-03-22T18:12:48.593Z",
"comment": null,
"changed_by": "Carbon Black"
},
"notes_present": false,
"tags": null,
"policy_id": 6525,
"reason": "The application windowsazureguestagent.exe invoked another application (arp.exe).",
"reason_code": "T_RUN_ANY",
"process_name": "waappagent.exe",
"device_location": "OFFSITE",
"created_by_event_id": "a44e00b5aa0b11ec9973f78f4c******",
"threat_indicators": [
{
"process_name": "waappagent.exe",
"sha256": "a5664303e573266e0f9e5fb443609a7eb272f64680c38d78bce110384b37faca",
"ttps": [
"ATTEMPTED_CLIENT",
"COMPANY_BLACKLIST",
"MITRE_T1082_SYS_INF_DISCOVERY",
"MITRE_T1106_NATIVE_API",
"MITRE_T1571_NON_STD_PORT",
"NON_STANDARD_PORT",
"RUN_ANOTHER_APP",
"RUN_SYSTEM_APP"
]
},
{
"process_name": "services.exe",
"sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674",
"ttps": [
"RUN_BLACKLIST_APP"
]
},
{
"process_name": "svchost.exe",
"sha256": "f3feb95e7bcfb0766a694d93fca29eda7e2ca977c2395b4be75242814eb6d881",
"ttps": [
"COMPANY_BLACKLIST",
"MODIFY_MEMORY_PROTECTION",
"RUN_ANOTHER_APP",
"RUN_SYSTEM_APP"
]
},
{
"process_name": "windowsazureguestagent.exe",
"sha256": "9a9f62a1c153bdb7bbe8301c6d4f1abfad6035cfe7b6c1366e3e0925de6387c3",
"ttps": [
"ATTEMPTED_CLIENT",
"COMPANY_BLACKLIST",
"MITRE_T1082_SYS_INF_DISCOVERY",
"MITRE_T1106_NATIVE_API",
"MITRE_T1571_NON_STD_PORT",
"NON_STANDARD_PORT",
"RUN_ANOTHER_APP",
"RUN_SYSTEM_APP"
]
}
],
"threat_activity_dlp": "NOT_ATTEMPTED",
"threat_activity_phish": "NOT_ATTEMPTED",
"threat_activity_c2": "NOT_ATTEMPTED",
"threat_cause_actor_sha256": "9a9f62a1c153bdb7bbe8301c6d4f1abfad6035cfe7b6c1366e3e0925de6387c3",
"threat_cause_actor_name": "windowsazureguestagent.exe",
"threat_cause_actor_process_pid": "3504-132914439190103761-0",
"threat_cause_process_guid": "7DESJ9GN-004fd50b-00000db0-00000000-1d834fa6d7246d1",
"threat_cause_parent_guid": null,
"threat_cause_reputation": "TRUSTED_WHITE_LIST",
"threat_cause_threat_category": null,
"threat_cause_vector": "UNKNOWN",
"threat_cause_cause_event_id": "a74fa7a3aa0b11ec9b401dea771569d9",
"blocked_threat_category": "UNKNOWN",
"not_blocked_threat_category": "NON_MALWARE",
"kill_chain_status": [
"INSTALL_RUN"
],
"sensor_action": null,
"run_state": "RAN",
"policy_applied": "NOT_APPLIED",
"type": "CB_ANALYTICS",
"alert_classification": null
}
Connector parameters
Use the following parameters to configure the connector:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Product Field Name | String | ProductName | Yes | Describes the name of the field where the product name is stored. |
| Event Field Name | String | AlertName | Yes | Describes the name of the field where the event name is stored. |
| Environment Field Name | String | "" | No | Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is "". |
| Environment Regex Pattern | String | .* | No | A regex pattern to run on the value found in the "Environment Field Name" field. Default is .* to catch all and return the value unchanged. Used to allow the user to manipulate the environment field via regex logic If the regex pattern is null or empty, or the environment value is null, the final environment result is "". |
| API Root | String | https://defense.conferdeploy.net | Yes | Vmware Carbon Black Cloud API Root URL |
| Organization Key | String | N/A | Yes | Vmware Carbon Black Cloud Organization Key, example: 7DDDD9DD |
| API ID | String | N/A | Yes | Vmware Carbon Black Cloud API ID (Custom API Key ID) |
| API Secret Key | String | N/A | Yes | Vmware Carbon Black Cloud API Secret Key (Custom API Secret Key) |
| Offset time in hours | Integer | 24 | Yes | Fetch alerts from X hours backwards. |
| Max Alerts Per Cycle | Integer | 10 | Yes | How many alerts should be processed during one connector run. |
| Minimum Severity to Fetch | Integer | N/A | No | Minimum severity of Carbon Black Cloud alert to be ingested to Google Security Operations SOAR, for example, 4 or 7 |
| What Alert Field to use for Name field | String | category | Yes | What Carbon Black Cloud alert field should be used for the Google Security Operations SOAR Alert Name field. Possible values are: type, category, policy_name |
| What Alert Field to use for Rule Generator | String | type | Yes | What Carbon Black Cloud alert field should be used for the Google Security Operations SOAR Alert Rule Generator field. Possible values are: type, category, policy_name |
| Alert Reputation to Ingest | String | NOT_LISTED, SUSPECT_MALWARE, UNKNOWN, ADAPTIVE_WHITE_LIST | Yes | What Carbon Black Cloud alert reputation alert can have to be ingested. Parameter accepts multiple values as a comma separated string. |
| Events Padding Period (hours) | Integer | 24 | Yes | Specify the number of hours backwards that events should be fetched for the alert. |
| Event Limit to Ingest per Alert | Integer | 25 | Yes | Specify the number of events that can be ingested per single CB Cloud alert per Connector iteration. |
| Use whitelist as a blacklist | Checkbox | Unchecked | Yes | If enabled, whitelist will be used as a blacklist. |
| Proxy Server Address | IP_OR_HOST | N/A | No | Proxy server to use for connection. |
| Proxy Server Username | String | N/A | No | Proxy server username. |
| Proxy Server Password | Password | N/A | No | Proxy server password. |
| Alert Name Template | String | N/A | No | If specified, the connector uses this value from the Carbon Black Cloud API response for alert data for Siemplify Alert Name. You can provide placeholders in the following format: [name of the field]. Example: CBCLOUD Alert - [reason]. Note: The maximum length for the field is 256 characters. If nothing is provided or the user provides an invalid template, the connector uses the default alert name. |
| Rule Generator Template | String | N/A | No | If specified, the connector uses this value from the Carbon Black Cloud API response for alert data for Siemplify Rule Generator. You can provide placeholders in the following format: [name of the field]. Example: CBCLOUD - [reason]. Note: The maximum length for the field is 256 characters. If nothing is provided or the user provides an invalid template, the connector uses the default rule generator value. |
| Total Limit of Events per Alert | Integer | 100 | No | Specify the total number of events that the connector should get per single CB Cloud alert. If this limit is reached, no new events are fetched for alert. To not limit the total number of events per alert, leave this parameter blank. |
Connector rules
Proxy support
The connector supports proxy.