Carbon Black

Overview

Use the Datadog-Carbon Black integration to forward your Carbon Black EDR events and alerts as Datadog logs.

Setup

Installation

Datadog uses Carbon Black’s event forwarder and Datadog’s Lambda forwarder to collect Carbon Black events and alerts from your S3 bucket.

Carbon Black provides a Postman collection for the API that you use to create the Carbon Black event forwarder.

Configuration

1. Install the Datadog Forwarder.
2. Create a bucket in your AWS Management Console to forward events to.
3. Configure the S3 bucket to allow the Carbon Black forwarder to write data.
   • Important: The S3 bucket must have a prefix with the keyword carbon-black in which the CB events come in. This allows Datadog to recognize the source of the logs correctly.
4. Create an access level in the Carbon Black Cloud console.
5. Create an API key in the Carbon Black Cloud console.
6. Configure the API in Postman by updating the value of the following Postman environment variables with the key created above: cb_url, cb_org_key, cb_custom_id, and cb_custom_key.
7. Create two Carbon Black event forwarders with different names for Carbon Black alerts ("type": "alert") and endpoint events ("type": "endpoint.event").
8. Setup the Datadog Forwarder to trigger on the S3 bucket.

Troubleshooting

Need help? Contact Datadog support.