When the AlienApp for Carbon Black is enabled and connected to your CB Response deployment, you can launch app actionsIn USM Anywhere you can execute an action from alarms, events, and vulnerabilities to run a scan, get forensic information, or execute a response for a configured AlienApp. and create orchestration rules to send data from USM Anywhere to CB Response. See AlienApp for Carbon Black Orchestration for more information about the orchestration actions supported by the AlienApp for Carbon Black.
Important: You do not need to complete this configuration if you are using the CB Protection and/or CB Defense products, but not the CB Response product.
Note: To fully integrate USM Anywhere with your Carbon Black implementation, you should also have the Carbon Black log collection enabled so that USM Anywhere can retrieve and normalizeNormalization describes the translation of log file entries received from disparate types of monitored assets into the standardized framework of Event types and sub-types. raw log data from the Carbon Black applications. See Collecting Logs from Carbon Black for information about enabling these plugins and raw log data retrieval.
Before you can use the Carbon Black orchestration actions within USM Anywhere, you must have an API token that USM Anywhere can use to connect to your Carbon Black server. Carbon Black generates this token for use by your user account.
Important: You must have global administrator privileges to generate a valid API token for integration with the AlienApp for Carbon Black.
To acquire the API token for CB Response
- Go to https://developer.carbonblack.com/reference/enterprise-response/authentication/ and follow the vendor instructions to generate the API token.
- Copy the token to be entered in USM Anywhere.
Important: If you generate a new API token or key at some point in the future, it will revoke the existing token making the connection unauthorized. Therefore, you must update the token in USM Anywhere accordingly.
After you generate a Carbon Black API token and copy the value, you're ready to enable the AlienApp for Carbon Black in USM Anywhere.
To enable the Carbon Black API connection
- In USM Anywhere, go to Data Sources > Integrations.
- Click the AlienApps tab.
On the AlienApps page, click the Carbon Black tile.
The Status tab is displayed, but it does not provide status information until the AlienApp for Carbon Black is enabled and configured.
If you have more than one deployed USM Anywhere Sensor, select the sensor that you want to use for the enabled AlienApp.
AlienApps operate through a deployed sensor and use APIs to integrate with the connected third-party technology. Select the sensor that can access the integration endpoint. The HTTPS connections to the API will originate from this sensor, so it is important to make sure the sensor has network access to the AlienApp API endpoints.
- Click Enable.
- Click the Settings tab.
Specify the connection information for your CB Response server:
- Server address or hostname: Enter the IP address or hostname of your CB Response server.
- API token: Click Change API token and enter the API token created in CB Response.
(Optional.) CA certificate: If you want to use a security certificate for the authentication, select the checkbox and add your certificate to establish a trusted SSLProtocol used for transmitting private documents through the Internet. SSL works by using a public key to encrypt data that's transferred over the SSL connection. See also transport layer security. connection between your CB Response server and USM Anywhere.
- Click Save.
Click the Status tab to verify the connection.
If the icon appears, there is a problem with the connection. The Message column provides information about the issue. Repeat the steps to fix the configuration or troubleshoot your Carbon Black connection.