Use the Datadog-Carbon Black integration in order to forward your Carbon Black Defense logs to Datadog.
First, install and setup the Carbon Black Defense log shipper. The shipper is available for:
The configuration file below enables your Carbon Black Defense shipper to forward your logs to Datadog:
[general]
template = {{source}}|{{version}}|{{vendor}}|{{product}}|{{dev_version}}|{{signature}}|{{name}}|{{severity}}|{{extension}}
policy_action_severity = 4
output_format=json
output_type=http
http_out=https://http-intake.logs.datadoghq.com/v1/input/<DATADOG_API_KEY>?ddsource=cbdefense
http_headers={"content-type": "application/json"}
https_ssl_verify=True
[cbdefense1]
server_url = <CB_DEFENSE_SERVER_URL>
siem_connector_id=<CB_DEFENSE_API_ID>
siem_api_key=<CB_DEFENSE_API_SECRET_KEY>
[general]
template = {{source}}|{{version}}|{{vendor}}|{{product}}|{{dev_version}}|{{signature}}|{{name}}|{{severity}}|{{extension}}
policy_action_severity = 4
output_format=json
output_type=http
http_out=https://http-intake.logs.datadoghq.eu/v1/input/<DATADOG_API_KEY>?ddsource=cbdefense
http_headers={"content-type": "application/json"}
https_ssl_verify=True
[cbdefense1]
server_url = <CB_DEFENSE_SERVER_URL>
siem_connector_id=<CB_DEFENSE_API_ID>
siem_api_key=<CB_DEFENSE_API_SECRET_KEY>
Replace the <DATADOG_API_KEY>, <CB_DEFENSE_API_SECRET_KEY>, <CB_DEFENSE_API_ID>, and <CB_DEFENSE_SERVER_URL> placeholders to complete your configuration.
First, replace <DATADOG_API_KEY> with your Datadog API key, found on the Datadog API key page.
Next, to obtain your Carbon Black Defense API key and API ID, generate them from within Carbon Black:
<CB_DEFENSE_API_SECRET_KEY> and <CB_DEFENSE_API_ID> placeholder in your Carbon Black Defense log shipper configuration file.You can find your Carbon Black Defense server URL within your Carbon Black dashboard. Go to Settings -> API KEYS -> Download to find this URL and its access level descriptions. Use this value to replace the <CB_DEFENSE_SERVER_URL> placeholder.
Need help? Contact Datadog support.