Community
Questions Library
Docs
Blog
Events
Swag
Github
Slack
JupiterOne
Discussions
Release Notes
Contact Us
VMware Carbon Black Cloud Integration with JupiterOne - AskJ1 Community
<main> <article class="userContent"> <h2 data-id="vmware-carbon-black-cloud-jupiterone-integration-benefits">VMware Carbon Black Cloud + JupiterOne Integration Benefits</h2> <ul><li>Visualize VMware Carbon Black endpoint agents and findings on corresponding devices in the JupiterOne graph.</li> <li>Map VMware Carbon Black endpoint agents to devices and devices to the employee who is the owner.</li> <li>Monitor VMware Carbon Black findings within the Alerts app.</li> <li>Monitor changes to VMware Carbon Black endpoints using JupiterOne alerts.</li> </ul><h2 data-id="how-it-works">How it Works</h2> <ul><li>JupiterOne periodically fetches new findings from VMware Carbon Black to update the graph.</li> <li>Configure alerts to reduce the noise of findings.</li> </ul><h2 data-id="requirements">Requirements</h2> <ul><li>JupiterOne requires the deployment site and org key of your account as well as a configured API key and ID with the proper permissions.</li> <li>You must have permission in JupiterOne to install new integrations.</li> </ul><h2 data-id="support">Support</h2> <p>If you need help with this integration, contact <a rel="nofollow" href="https://community.askj1.com">JupiterOne Support</a>.</p> <h2 data-id="integration-walkthrough">Integration Walkthrough</h2> <p>JupiterOne provides a managed integration for VMware Carbon Black Cloud Platform (formerly the Predictive Security Cloud, or PSC). The integration connects directly to VMware Carbon Black APIs to obtain details about device sensors/agents and active alerts. Customers authorize access by creating a Connector and an API Key in their target PSC account and providing that credential to JupiterOne.</p> <h3 data-id="in-carbon-black">In Carbon Black</h3> <p>You must <a rel="nofollow" href="https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/">set up an Access Level and API Key</a> in the VMware Carbon Black Cloud Console to allow access to the Devices and Alerts APIs.</p> <ol><li><strong>Settings > API Access > Access Levels: Add Access Level</strong>: Name "JupiterOne Read Only" (or match your naming patterns), permissions <code class="code codeInline" spellcheck="false" tabindex="0">device: READ</code>, <code class="code codeInline" spellcheck="false" tabindex="0">org.alerts: READ</code>, <code class="code codeInline" spellcheck="false" tabindex="0">org.retention: READ</code>.</li> <li><strong>Settings > API Access > API Keys: Add API Key</strong>: Name "JupiterOne" (or match your naming patterns), Access Level Type "Custom", "JupiterOne Read Only". Capture the <em>API Secret Key</em> and <em>API ID</em>.</li> </ol><p>With the Access Level and API Key now configured, you must provide these parameters to the integration instance configuration:</p> <ul><li><strong>Deployment Site/Environment</strong> (<code class="code codeInline" spellcheck="false" tabindex="0">site</code>): The part immediately following <code class="code codeInline" spellcheck="false" tabindex="0">defense-</code> in your Carbon Black Cloud account URL. For example, if you access your account at <code class="code codeInline" spellcheck="false" tabindex="0">https://defense-prod05.conferdeploy.net/</code>, the <code class="code codeInline" spellcheck="false" tabindex="0">site</code> is <code class="code codeInline" spellcheck="false" tabindex="0">prod05</code>.</li> <li><strong>Org Key</strong> (<code class="code codeInline" spellcheck="false" tabindex="0">orgKey</code>): From <strong>Settings > API Access</strong>, capture the <em>Org Key</em>.</li> <li><strong>API ID</strong> (<code class="code codeInline" spellcheck="false" tabindex="0">connectorId</code>): Captured during API Key creation.</li> <li><strong>API Key</strong> (<code class="code codeInline" spellcheck="false" tabindex="0">apiKey</code>): Captured during API Key creation.</li> </ul><h3 data-id="in-jupiterone">In JupiterOne</h3> <ol><li>From the configuration <strong>Gear Icon</strong>, select <strong>Integrations</strong>.</li> <li>Scroll to the <strong>Carbon Black PSC</strong> integration tile and click it.</li> <li>Click the <strong>Add Configuration</strong> button and configure the following settings:</li> </ol><ul><li>Enter the <strong>Account Name</strong> by which you'd like to identify this VMware Carbon Black account in JupiterOne. Ingested entities will have this value stored in <code class="code codeInline" spellcheck="false" tabindex="0">tag.AccountName</code> when <strong>Tag with Account Name</strong> is checked.</li> <li>Enter a <strong>Description</strong> that will further assist your team when identifying the integration instance.</li> <li>Select a <strong>Polling Interval</strong> that you feel is sufficient for your monitoring needs. You may leave this as <code class="code codeInline" spellcheck="false" tabindex="0">DISABLED</code> and manually execute the integration.</li> <li>Enter the <strong>Deployent Site</strong> from the URL in the VMware Carbon Black Cloud Console.</li> <li>Enter the <strong>Org Key</strong> from the VMware Carbon Black Cloud Console.</li> <li>Enter the <strong>API ID</strong> configured for JupiterOne.</li> <li>Enter the <strong>API Key</strong> configured for JupiterOne.</li> </ul><ol start="4"><li>Click <strong>Create Configuration</strong> once all values are provided.</li> </ol><h2 data-id="how-to-uninstall">How to Uninstall</h2> <ol><li>From the configuration <strong>Gear Icon</strong>, select <strong>Integrations</strong>.</li> <li>Scroll to the <strong>Carbon Black PSC</strong> integration tile and click it.</li> <li>Identify and click the <strong>integration to delete</strong>.</li> <li>Click the <strong>trash can</strong> icon.</li> <li>Click the <strong>Remove</strong> button to delete the integration.</li> </ol><p><br></p> <h2 data-id="data-model">Data Model</h2> <h3 data-id="entities">Entities</h3> <p>The following entities are created:</p> <table><thead><tr><th>Resources</th> <th>Entity <code class="code codeInline" spellcheck="false" tabindex="0">_type</code></th> <th>Entity <code class="code codeInline" spellcheck="false" tabindex="0">_class</code></th> </tr></thead><tbody><tr><td>Account</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">carbonblack_psc_account</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Account</code></td> </tr><tr><td>Alert</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">cbdefense_alert</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Finding</code></td> </tr><tr><td>Device Sensor Agent</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">cbdefense_sensor</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">HostAgent</code></td> </tr><tr><td>Service</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">cb_endpoint_protection</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Service</code></td> </tr></tbody></table><h3 data-id="relationships">Relationships</h3> <p>The following relationships are created:</p> <table><thead><tr><th>Source Entity <code class="code codeInline" spellcheck="false" tabindex="0">_type</code></th> <th>Relationship <code class="code codeInline" spellcheck="false" tabindex="0">_class</code></th> <th>Target Entity <code class="code codeInline" spellcheck="false" tabindex="0">_type</code></th> </tr></thead><tbody><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">carbonblack_psc_account</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">cb_endpoint_protection</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">carbonblack_psc_account</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">cbdefense_sensor</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">cbdefense_sensor</code></td> <td><strong>IDENTIFIED</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">cbdefense_alert</code></td> </tr></tbody></table><h3 data-id="mapped-relationships">Mapped Relationships</h3> <p>The following mapped relationships are created:</p> <table><thead><tr><th>Source Entity <code class="code codeInline" spellcheck="false" tabindex="0">_type</code></th> <th>Relationship <code class="code codeInline" spellcheck="false" tabindex="0">_class</code></th> <th>Target Entity <code class="code codeInline" spellcheck="false" tabindex="0">_type</code></th> <th>Direction</th> </tr></thead><tbody><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">cbdefense_sensor</code></td> <td><strong>PROTECTS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">*user_endpoint*</code></td> <td>FORWARD</td> </tr></tbody></table><p><br></p> </article> </main>