Carbon Black

Carbon Black is a cloud-native endpoint protection platform to secure your endpoints using a single, lightweight agent and an easy-to-use console. For detailed information refer to the Carbon Black official documentation.

Integration Method: API

Tables: Detection Finding (2004)

This integration supports the following events.

This integration supports the following versions.

Note:

Carbon Black is a continuously updated cloud service. As of this document preparation, the latest release was in March 2025.

Prerequisites

• The user should have access to the Carbon Black portal with an account that has the Global Administrator privileges.

• The user should have access to the DataBee console.

Configuration Overview

1. Generate an API token with the required scopes

   1. Create Access Level

   2. Create API key

   3. Copy ORG KEY

2. Add the Carbon Black data feed in the DataBee console with the below parameters.

   DataBee Parameter	Carbon Black Parameter
   Access Key	API ID
   Secret Key	API Secret Key
   Organization Key	ORG KEY
   API Base URL <hostname>	hostname

Carbon Black Configuration

Create Access Level

1. Login to your Carbon Black cloud dashboard.

2. Get Carbon Black hostname from URL as highlighted below.
    

3. Navigate to Settings > API Access.
    

4. Navigate to Access Levels and click on Add Access Level.
    

5. In the “Add Access Level” page, confirm the following, and click on Save.

   • Name: enter name for Access Level.

   • Description: enter suitable description for Access Level.

   • Select the below category with permissions.

     Category	Permission Name	Permission
     Alerts	General Information	READ

   
   

Create API key

1. Navigate to API Keys and click on Add API Key.
    

2. In “Add API Key” page, confirm the following, and click on Save.

   • Name: enter API Key Name.

   • Access Level type: selected as Custom.

   • Custom Access Level: select the Custom Access Level Name which you have created in previous step.

   

3. Copy the API ID and API Secret Key.
    

   Note:

   Copy and save this value. You will not be able to retrieve API Secret Key later.

Copy ORG KEY

1. Navigate to Settings > General.
    

2. Copy the ORG KEY.
    

DataBee Configuration

1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
    

2. Search for the Carbon Black and click it as shown below.
    

3. Click on the API Ingest option for collection method.
    

4. Enter feed contact information and click Next.
    

5. In the configuration page, confirm the following:

   • Authorization Method: Custom API Key

   • API Base URL: update <hostname> with your carbon black account hostname.

   • Access Key: enter API ID.

   • Secret Key: enter API Secret Key.

   • Organization Key: enter ORG KEY.

   • Event Types: preselected for all the event types that integration pulls.

   

6. Click Submit.

Troubleshooting Tips

• Ensure the API ID and API Secret Key are pasted correctly. Since you cannot view the creds after the 1^st time, re-create the creds, paste it on a text editor to ensure no spaces or unexpected characters are included and reconfigure the DataBee feed.

• Ensure the carbon black scopes/permissions for Access Level are correct.