When the AlienApp for Carbon Black EDR is enabled and connected to your Carbon Black Response deployment, you can launch app actions In USM Anywhere you can execute an action from alarms, events, and vulnerabilities to run a scan, get forensic information, or execute a response for a configured AlienApp. and create orchestration rules to send data from USM Anywhere to Carbon Black Response. See AlienApp for Carbon Black EDR Actions for more information about the orchestration actions supported by the AlienApp for Carbon Black EDR.
Note: To fully integrate USM Anywhere with your Carbon Black implementation, you should also have the Carbon Black log collection enabled so that USM Anywhere can retrieve and normalize Normalization describes the translation of log file entries received from disparate types of monitored assets into the standardized framework of Event types and sub-types. raw log data from the Carbon Black applications. See Collecting Logs from Carbon Black EDR for information about raw log data retrieval.
Generate a Carbon Black API Token
Before you can use the Carbon Black orchestration actions within USM Anywhere, you must have an API token that USM Anywhere can use to connect to your Carbon Black server. Carbon Black generates this token for use by your user account.
Important: You must have global administrator privileges to generate a valid API token for integration with the AlienApp for Carbon Black EDR.
To acquire the API token for Carbon Black EDR
- Go to https://developer.carbonblack.com/reference/enterprise-response/authentication/ and follow the vendor instructions to generate the API token.
- Copy the token to be entered in USM Anywhere.
Important: If you generate a new API token or key at some point in the future, it will revoke the existing token making the connection unauthorized. Therefore, you must update the token in USM Anywhere accordingly.
Enable the API Connection
After you generate a Carbon Black API token and copy the value, you're ready to enable the AlienApp for Carbon Black EDR in USM Anywhere.
To enable the Carbon Black API connection
- In USM Anywhere, go to Data Sources > AlienApps.
- Click the Available Apps tab.
- Search for the AlienApp, and then click the tile.
- Click Configure API.
If you have more than one deployed USM Anywhere Sensor, select the sensor that you want to use for the enabled AlienApp.
AlienApps operate through a deployed sensor and use APIs to integrate with the connected third-party technology. Select the sensor that can access the integration endpoint. The HTTPS connections to the API will originate from this sensor, so it is important to make sure the sensor has network access to the AlienApp API endpoints.
Specify the connection information for your Carbon Black EDR server:
- Server address: Enter the IP address or hostname of your Carbon Black EDR server.
- API token: Click Change API token and enter the API token created in Carbon Black EDR.
- (Optional.) Custom Certificate Authority Public Certificate: If you want to use a security certificate for the authentication, select the checkbox and add your certificate to establish a trusted Secure Sockets Layer (SSL Protocol used for transmitting private documents through the Internet. SSL works by using a public key to encrypt data that's transferred over the SSL connection. See also transport layer security.) connection between your Carbon Black EDR server and USM Anywhere.
- Click Save.
Verify the connection.
After USM Anywhere completes a successful connection to the Carbon Black EDR APIs, a icon displays in the Health column.
If the icon displays, there is a problem with the connection. The Message column provides information about the issue. Repeat the steps to fix the configuration or troubleshoot your Carbon Black EDR connection.