What this integration is
This integration ingests VMware Carbon Black Cloud alert data into your SOCFortress SIEM stack using the Carbon Black Cloud APIs.Data path (how it flows)
- Carbon Black Cloud → API polling/collector
- Collector → SIEM ingestion (indexing/search)
- Optional: alerting + routing into Incident Management
Prerequisites
- Carbon Black Cloud console access
- API access enabled
- Alerts API: https://developer.carbonblack.com/reference/carbon-black-cloud/platform/latest/alerts-api/
Credentials & permissions you’ll need
From the Carbon Black Cloud console:- API ID
- API Secret Key
- ORG Key
- ORG ID
- Base API hostname (e.g.,
https://defense.conferdeploy.net)
- a custom access level with Alerts: READ
- an API key bound to that access level
CoPilot setup (recommended workflow)
- Provision the customer (tenant wiring).
- In CoPilot → customer → Integrations → Add integration → Carbon Black.
- Paste the API credentials + org identifiers.
- Deploy/start the collector/connector component (if your deployment model uses a containerized collector).
Success criteria
- Carbon Black alerts are arriving
- Alerts/events are tagged to the correct customer
Troubleshooting
- Confirm API key permissions include alerts read access.
- Confirm ORG identifiers match your tenant.
- Validate base URL/region (commercial vs other environments).
- Check collector logs for rate limiting/auth failures.