The following guide will provide the details of how to collect the following log sources:
- VMware CB Defense events (VMware Carbon Black Cloud Endpoint Standard)
- CB ThreatHunter Alerts (VMware Carbon Black Cloud Enterprise EDR) - Early Access
These 2 (two) log sources are retrieved into Exabeam by usage of the Carbon Black Event Forwarder
The Event Forwarder forwards the events and alerts from Carbon Black servers into a customer managed S3 bucket, from where the custom application cloud connector can pull.
Note: The audit logs will continue to be pulled directly via the API , in the Carbon Black Cloud Connector.
A diagram of the integration:
In order to configure the log sources please perform the following :
- Configure the Carbon Black Event Forwarder. Please follow the step by step instructions provided by VMware.
- On board a new custom application cloud connector to pull the feed from your previously configured S3 bucket. Please follow the instructions here. Choose the "pass-through" processor.
- If required, install the appropriate content package from the content library. Note: The Carbon Black Threat Hunter (Enterprise EDR) parsers are in early access level. If you wish to use these parsers please contact Exabeam support.