How to Connect VMware Carbon Black Cloud to Secureworks Taegis XDR Using API

Summary: Learn how to connect VMware Carbon Black Cloud to Secureworks Taegis XDR using API by following these instructions.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

VMware Carbon Black Cloud allows for APIs to be generated to output various sets of data from the infrastructure to third-party applications. Secureworks has introduced the ability to consume these events through an API receiver within the Secureworks Taegis XDR (eXtended Detection and Response) console.

Affected Products:

  • VMware Carbon Black Cloud
  • Secureworks Threat Detection and Response
  • Secureworks Managed Detection and Response
  • Secureworks XDR
  • Secureworks ManagedXDR
  • DellMDR

Configuration of the Event Forwarder from VMware Carbon Black Cloud to Secureworks TDR requires administrators to Create an Access Level and an API Key with Carbon Black. Once completed, then you can Create the Integration Within Secureworks Taegis XDR.

Note:
  • Within VMware Carbon Black Cloud, the administrator requires permissions to manage Access Levels and API Keys.
  • Within Secureworks TDR, the administrator requires Tenant Administrator permissions.

Create an Access Level and an API Key with Carbon Black

  1. Log in to the appropriate Carbon Black Defense console for your environment:
    Note: All connections to the VMware Carbon Black Cloud are over 443 (https) using TLS 1.2.
  2. Expand Settings and then select API Access.
    API Access
  3. You must:
    1. Create an Access Level
    2. Create an API Key
    3. Find the Org Key

For more information, click the appropriate action.

  1. Select the Access Levels tab, then select Add Access Level to create an access level.
    Add Access Level
  2. From the Edit Access Level menu:
    1. Populate a Name and Description for the Access Level.
    2. Locate and then enable the following settings:
      Category Permission Notation Selection boxes to enable
      Device Quarantine device.quarantine Execute
      Device General Information device Read
      Event Forwarding Settings event-forwarder.settings Create, Read, Update, Delete
    3. Click Save.
      Edit Access Level menu
      Note: The Name (SCWS_TDR) used in the example screenshot may differ in your environment.
  1. Click API Keys.
    API Keys tab
  2. Click Add API Key.
    Add API Key
  3. Within the Add API Key dialog box:
    1. Populate a Name.
    2. Set the Access Level Type to Custom by expanding the drop-down and selecting the Custom option.
    3. Set the Custom Access Level by expanding the drop-down and selecting the name of the Access Level.
    4. Optionally, populate a Description.
    5. Click Save.
    Add API Key menu
  4. Record the API ID and the API Secret Key. These are used to integrate Secureworks TDR.
    API ID and API Secret Key
    Note: The Clipboard icon may be used to record the API ID and API Secret Key.
  5. Close the API Credentials dialog to proceed.
  1. Click API Keys.
    API Keys tab
  2. The Org Key is present within the upper left corner of the right pane. Record the Org Key.
    Org Key
    Note: The example image shows a blurred Org Key to maintain the privacy of this organization.

Create the Integration Within Secureworks Taegis XDR

  1. Log in to your Secureworks XDR console.
    Note:
  2. Select Integrations on the left pane, and then select Cloud APIs.
    Cloud APIs
  3. Select Add API Integration in the upper right.
    Add API Integration
  4. Scroll to the bottom of the page and then select Set up Carbon Black.
    Set up Carbon Black button
  5. From the Set up Carbon Black menu:
    1. Select the Environment.
    2. Populate the Org Key.
    3. Populate the API ID.
    4. Populate the API Secret Key.
    5. Click Done.
    Set up Carbon Black menu
    Note:
    • Environment: This outlines the specific login URL that is used for the Carbon Black environment to be used for communication:
      • Prod01 - used for legacy Carbon Black customers in North America
      • Prod02 - used for legacy Carbon Black customers in North America
      • Prod05 - used for current and new Carbon Black customers in North America
    • Org Key: Organizational identifier for the Carbon Black environment
    • API ID: Administrator-generated token that links to a specific API provided by Carbon Black
    • API Secret Key: Console-generated token that links to a specific API provided by Carbon Black, created with the API ID
  6. Once complete, the Cloud API Integrations show a Status of Healthy. This denotes that the connection is in a good state. This completes the integration, and all data should be flowing from endpoints.
    Cloud API Integrations with a Healthy status
    Note: Any issues with the connection update the Status to an Error status.

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.

Affected Products

Secureworks, VMware Carbon Black
Article Properties
Article Number: 000129699
Article Type: How To
Last Modified: 10 Jun 2024
Version:  10
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.