About Carbon Black
The Carbon Black EDR (Endpoint Detection and Response) tool visualizes and collects extensive information for vigilant threat hunting and accelerated incidence response. The endpoint events are collected at an enormous scale for increased visibility into the changing threat landscape.
SIRP integrates with Carbon Black’s EDR for the enrichment of activity data, improved visibility into threat patterns, and extended automation for removing or containing threats.
Comprehensive security coverage by Carbon Black, combined together with SIRP’s risk-based SOAR platform provides SOC teams with an unparalleled defense posture. The SOC teams have access to active threats, accelerated visibility and detection, and complete information on artifacts to provide context and threat validation.
SIRP’s Carbon Black integration app allows you to execute the following actions:
Block a hash through Carbon Black.
Get new alerts from Carbon Black.
Get process information against the process ID from Carbon Black.
Get the process name from Carbon Black.
Enable and Configure the Carbon Black App
Below mentioned are the steps to generate an API key for usage:
Log in to your Cabon Black instance
Click on Username dropdown then select My Profile > API Token.
Copy the API Token
Configure The SIRP App
Next, log in to SIRP, then go to Apps from the left navigation bar
Locate the Carbon Black App.
Click on the Toggle button to enable the app.
4. As soon as you enable the App, you will get an option to add the configuration details.
5. Add the following details and click Save:
Configuration Name <Name of configuration, could be any name>
Host <IP address of your Carbon Black instance>
API-Key <API token copied from Carbon Black>
Carbon Black In Action
Once the integration between SIRP and Carbon Black is complete, you can execute all the supported actions. For example, click on a hash then select
Carbon Black EDR > block hash.
Once the action is successfully executed, the hash would have been blocked within Carbon Black EDR.