In this article, you'll learn how to integrate Carbon Black with SecurityCoach. Once the integration is complete, data provided by Carbon Black will be available for use in the SecurityCoach tab of your KSAT console. This data can be viewed in SecurityCoach reports and used to create detection rules for real-time coaching campaigns. For general information about SecurityCoach, see our SecurityCoach Product Manual.

Creating a Custom Access Level

Before you can set up this integration in your KSAT console, you will need to create a custom access level and an API key.To create a custom access level, follow the steps below:

1. Log in to your Carbon Black Cloud console.
2. Navigate to Settings > API Access > Access Levels.
3. Select Add Access Level.

4. In the Access Level section, enter a unique name and a description for your custom access level.

   

   Important:You'll need a level with a unique name to create an API key.

5. In the permissions table, locate the API Service Category and select the following Access Level permissions:

   

   • For the category Alerts > General Information > org.alerts, enable the READ check box.
   • For the category Alerts > Notes > org.alerts.notes, enable the READ check box.

Creating an API Key

After you’ve created your custom access level, you can create your Carbon Black API key. You'll need this key when you set up the integration in your KSAT console.

To create an API key, follow the steps below:

1. Log in to your Carbon Black Cloud console.
2. Navigate to Settings > API Access > API Keys.
3. Select Add API Key. An Add API Key window will display.

4. To configure the Add API Key window, see the screenshot and list below:

   

   1. Name: Enter a unique name for the API Key.

      Note:Choose a name that clearly distinguishes the API key from your organization’s other API keys.
   2. Access Level Type: Select Custom.
   3. Custom access level: Select the access level you created in the Creating a Custom Access Level article section.
5. Select Save. After you select Save, your API Key Credentials will display, including your API Key and API ID.
6. Copy and save the API Key and API ID somewhere that you can easily access. You'll need these credentials to complete the Setting Up the Integration in Your KSAT Console article section.

Setting Up the Integration in Your KSAT Console

To register Carbon Black with SecurityCoach in your KSAT console, follow the steps below:

1. Log in to your KSAT console.
2. Navigate to SecurityCoach > Setup > Security Vendor Integrations.

3. Locate Carbon Black and select Configure to open the vendor setup page.

   

4. Enter the API ID and API Key that you created in the Creating an API Key article section.
5. Enter the API Domain that is displayed in the URL of your Carbon Black Cloud console. For example, if your console URL is “https://dashboard.confer.net/”, your API domain would be “dashboard.confer.net”.
6. Enter the Org Key that is displayed in the Settings > API Access window of your Carbon Black Cloud console.
7. Select Connect Authorize.

Mapping Your Users

After you’ve finished integrating Carbon Black, we recommend mapping your users using mapping rules or through a CSV file upload. For more information, see our Map Users in SecurityCoach article.

Once you’ve successfully authorized this integration, you can manage detection rules for Carbon Black on the Detection Rules subtab of SecurityCoach. For a full list of available system detection rules for this vendor, see our System Detection Rules by Vendor article.

Deleting the Integration in SecurityCoach

If you want to delete the Carbon Black integration from SecurityCoach, follow the steps below:

1. Log in to your KSAT console.
2. Navigate to SecurityCoach > Setup > Security Vendor Integrations.
3. Locate the Carbon Black vendor tile and select Edit.
4. Select Delete Integration near the bottom of the page.
5. A confirmation pop-up window will open. If you are sure you want to delete the integration, select Confirm.