Skip to main content
All CollectionsIntegration Guide
Carbon Black EDR Integration
Carbon Black EDR Integration
Ali Murtaza avatar
Written by Ali Murtaza
Updated over 2 years ago

About Carbon Black

The Carbon Black EDR (Endpoint Detection and Response) tool visualizes and collects extensive information for vigilant threat hunting and accelerated incidence response. The endpoint events are collected at an enormous scale for increased visibility into the changing threat landscape.

SIRP integrates with Carbon Black’s EDR for the enrichment of activity data, improved visibility into threat patterns, and extended automation for removing or containing threats.

Comprehensive security coverage by Carbon Black, combined together with SIRP’s risk-based SOAR platform provides SOC teams with an unparalleled defense posture. The SOC teams have access to active threats, accelerated visibility and detection, and complete information on artifacts to provide context and threat validation.

Supported Actions

SIRP’s Carbon Black integration app allows you to execute the following actions:

S.no

Action

Description

1

block hash

Block a hash through Carbon Black.

2

get alerts

Get new alerts from Carbon Black.

3

get_process_info_for_segment

Get process information against the process ID from Carbon Black.

4

get_process_info

Get the process name from Carbon Black.

Enable and Configure the Carbon Black App

Below mentioned are the steps to generate an API key for usage:

  1. Log in to your Cabon Black instance

  2. Click on Username dropdown then select My Profile > API Token.

  3. Copy the API Token

Configure The SIRP App

  1. Next, log in to SIRP, then go to Apps from the left navigation bar

  2. Locate the Carbon Black App.

  3. Click on the Toggle button to enable the app.

4. As soon as you enable the App, you will get an option to add the configuration details.

5. Add the following details and click Save:

  • Configuration Name <Name of configuration, could be any name>

  • Host <IP address of your Carbon Black instance>

  • API-Key <API token copied from Carbon Black>

Carbon Black In Action

Once the integration between SIRP and Carbon Black is complete, you can execute all the supported actions. For example, click on a hash then select

Carbon Black EDR > block hash.

Once the action is successfully executed, the hash would have been blocked within Carbon Black EDR.

Did this answer your question?