How to : Collect VMware Carbon Black Defense and Threat Hunter feeds into Exabeam

The following guide will provide the details of how to collect the following log sources:

1. VMware CB Defense events (VMware Carbon Black Cloud Endpoint Standard)
2. CB ThreatHunter Alerts (VMware Carbon Black Cloud Enterprise EDR) - Early Access

These 2 (two) log sources are retrieved into Exabeam by usage of the Carbon Black Event Forwarder

The Event Forwarder forwards the events and alerts from Carbon Black servers into a customer managed S3 bucket, from where the custom application cloud connector can pull.

Note: The audit logs will continue to be pulled directly via the API , in the Carbon Black Cloud Connector.

A diagram of the integration: 

In order to configure the log sources please perform the following :

1. Configure the Carbon Black Event Forwarder. Please follow the step by step instructions provided by VMware.
2. On board a new custom application cloud connector to pull the feed from your previously configured S3 bucket. Please follow the instructions here. Choose the "pass-through" processor.
3. If required, install the appropriate content package from the content library. Note: The Carbon Black Threat Hunter (Enterprise EDR) parsers are in early access level. If you wish to use these parsers please contact Exabeam support.