Use the Datadog-Carbon Black integration in order to forward your Carbon Black Defense logs to Datadog.
First, install and setup the Carbon Black Defense log shipper.
The configuration file below enables your Carbon Black Defense shipper to forward your logs to Datadog:
[general]
template = {{source}}|{{version}}|{{vendor}}|{{product}}|{{dev_version}}|{{signature}}|{{name}}|{{severity}}|{{extension}}
policy_action_severity = 4
output_format=json
output_type=http
http_out=https://http-intake.logs.datadoghq.com/v1/input/<DATADOG_API_KEY>?ddsource=cbdefense
http_headers={"content-type": "application/json"}
https_ssl_verify=True
[cbdefense1]
server_url = <CB_DEFENSE_SERVER_URL>
siem_connector_id=<CB_DEFENSE_API_ID>
siem_api_key=<CB_DEFENSE_API_SECRET_KEY>
[general]
template = {{source}}|{{version}}|{{vendor}}|{{product}}|{{dev_version}}|{{signature}}|{{name}}|{{severity}}|{{extension}}
policy_action_severity = 4
output_format=json
output_type=http
http_out=https://http-intake.logs.datadoghq.eu/v1/input/<DATADOG_API_KEY>?ddsource=cbdefense
http_headers={"content-type": "application/json"}
https_ssl_verify=True
[cbdefense1]
server_url = <CB_DEFENSE_SERVER_URL>
siem_connector_id=<CB_DEFENSE_API_ID>
siem_api_key=<CB_DEFENSE_API_SECRET_KEY>
Replace the <DATADOG_API_KEY>, <CB_DEFENSE_API_SECRET_KEY>, <CB_DEFENSE_API_ID>, and <CB_DEFENSE_SERVER_URL> placeholders to complete your configuration.
First, replace <DATADOG_API_KEY> with your Datadog API key, found on the Datadog API key page.
Next, to obtain your Carbon Black Defense API key and API ID, generate them from within Carbon Black:
<CB_DEFENSE_API_SECRET_KEY> and <CB_DEFENSE_API_ID> placeholder in your Carbon Black Defense log shipper configuration file.You can find your Carbon Black Defense server URL within your Carbon Black dashboard. Go to Settings -> API KEYS -> Download to find this URL and its access level descriptions. Use this value to replace the <CB_DEFENSE_SERVER_URL> placeholder.
Need help? Contact Datadog support.
On this Page
