Carbon Black Defense API Depreciation - action required

Background

VMware announced that they will be deprecating some of their APIs on February 1, 2021. 

Exabeam Cloud Connectors are currently pulling from the "CB Defense" feed (new name :

VMware Carbon Black Cloud Endpoint Standard) using two (2) APIs:

• Audit Logs API (https://yourhost.conferdeploy.net/integrationServices/v3/auditLogs)
• Event API (https://yourhost.conferdeploy.net/integrationServices/v3/event)

While the Audit Logs API is not being deprecated, the Events API is being deprecated.

VMware advised that the best option to replace the Events API is by using their new event forwarder. This is their recommended way to retrieve the CB Defense (VMware Carbon Black Cloud Endpoint Standard) feed as well as the CB ThreatHunter (VMware Carbon Black Cloud Enterprise EDR) feed. This means that with the new method, we will be collecting a new feed (Threat Hunter) in addition to the existing feed (CB Defense). Important note: the new feed (CB Threat Hunter) parsers are in early access level. Please contact Exabeam support if you wish to use them.

The Event Forwarder forwards the events and alerts from Carbon Black servers into a customer managed S3 bucket, from where the custom application cloud connector can pull.

The audit logs will continue to be pulled directly via the API , in the Carbon Black Cloud Connector.

Here is a diagram of what the integration will look like :

Required Action

Before Feburary 1, 2021 existing customers using the Cloud Connector for CB Defense will need to complete the following actions:

1. Configure the Carbon Black Event Forwarder. Please follow the step by step instructions provided by VMware.
2. On your Exabeam Cloud Connectors UI, choose the CB Defense cloud connector, click on status and stop all the endpoints except the auditlog endpoint.
   
   
3. On board a new custom application cloud connector to pull the feed from your previously configured S3 bucket. Please follow the instructions here. Choose the "pass-through" processor.
4. Install the appropriate content package from the content library. Again please note that the parsers for threat hunter are early access so be sure to contact Exabeam support for more details.