When the AlienApp for Carbon Black is enabled and connected to your CB Response deployment, you can launch app actionsIn USM Anywhere you can execute an action from alarms, events, and vulnerabilities to run a scan, get forensic information, or execute a response for a configured AlienApp. and create orchestration rules to send data from USM Anywhere to CB Response. See AlienApp for Carbon Black Orchestration for more information about the orchestration actions supported by the AlienApp for Carbon Black.
Important: You do not need to complete this configuration if you are using the CB Protection and/or CB Defense products, but not the CB Response product.
Note: To fully integrate USM Anywhere with your Carbon Black implementation, you should also have the Carbon Black log collection enabled so that USM Anywhere can retrieve and normalizeNormalization describes the translation of log file entries received from disparate types of monitored assets into the standardized framework of Event types and sub-types. raw log data from the Carbon Black applications. See Collecting Logs from Carbon Black for information about enabling these plugins and raw log data retrieval.
Before you can use the Carbon Black orchestration actions within USM Anywhere, you must have an API token that USM Anywhere can use to connect to your Carbon Black server. Carbon Black generates this token for use by your user account.
Important: You must have global administrator privileges to generate a valid API token for integration with the AlienApp for Carbon Black.
To acquire the Carbon Black API token
- Open your Carbon Black dashboard with your user login.
In the upper-right corner, click your user name and select My Profile.
On the left navigation for the page, click API Token.
This displays the API token page and generates a unique token that is displayed in the text box. Each user receives their own, unique API token. This token has the same power and privileges attached to your user account and does not expire.
Note: If you generate a new token at some point in the future by clicking the Reset API Token button, this will revoke the existing token and you must also update the settings for the AlienApp for Carbon Black in USM Anywhere.
- Copy the token text to your clipboard or a secured text file.
After you generate a Carbon Black API token and copy the value, you're ready to enable the AlienApp for Carbon Black in USM Anywhere.
To enable the Carbon Black API connection
- In USM Anywhere, go to Data Sources > Integrations.
Click the AlienApps tab.
On the AlienApps page, click the Carbon Black tile.
The Status tab is displayed, but it does not provide status information until the AlienApp for Carbon Black is enabled and configured.
If you have more than one deployed USM Anywhere Sensor, select the sensor that you want to use for the enabled AlienApp.
USM Anywhere AlienApps operate through a deployed sensor and use APIs to integrate with the connected third-party technology. Select the sensor that can access the integration endpoint. The HTTPS connections to the API will originate from this sensor.
- Click Enable.
- Click the Settings tab.
Enter the connection information to access the API for your Carbon Black environment.
- Server address or hostname: Enter the IP address or hostname of your Carbon Black server.
- API token: Click Change API token and enter the API token value that you copied in the Carbon Black console.
CA certificate: (Optional.)Add the security certificate that establishes a trusted SSLProtocol used for transmitting private documents through the Internet. SSL works by using a public key to encrypt data that's transferred over the SSL connection. See also transport layer security. between your Carbon Black server and USM Anywhere.
Select the Require CA certificate checkbox if you want to use a security certificate for the authentication.
- Click Save.
Click the Status tab to verify the connection.
If the icon appears, there is a problem with the connection. The Message column provides information about the issue. Repeat the steps to fix the configuration or troubleshoot your Carbon Black connection.