How Red Canary Works with Carbon Black Cloud
    • 09 Aug 2024
    • 2 Minutes to read
    • PDF

    How Red Canary Works with Carbon Black Cloud

    • PDF

    Article summary

    Red Canary’s partnership with Carbon Black began shortly after their launch of the first telemetry collection endpoint detection and response (EDR) sensor (now called Carbon Black EDR). Together we paired their industry-best telemetry collection with Red Canary’s industry-best security operations to deliver exceptional security outcomes to our joint users.

    The Red Canary and Carbon Black technology integration leverages an event forwarder designed in partnership with our engineering teams that forwards the complete set of telemetry collected by the Carbon Black sensor to Red Canary. 

    While most companies’ Carbon Black integrations use a handful of watchlists in Carbon Black to achieve their detection use cases, or purely leverage the Carbon Black Cloud alerts as their detection source, Red Canary’s low-level integration leverages the raw telemetry against thousands of detection analytics that are more expressive and feature rich than watchlists. 

    This combination of Carbon Black telemetry and Red Canary’s detection and response delivers the best security outcomes for Carbon Black Cloud users.

    Red Canary and Carbon Black use several integration points to implement exceptional security operations.

    Getting Started

    Connect your Carbon Black Cloud deployment to Red Canary by following these steps:

    1. Submit a support case in your Carbon Black support portal requesting that they “Please apply the Red Canary profile to our instance.” This form instructs Carbon Black to grant Red Canary access to your Carbon Black console and begin sending your telemetry to Red Canary for processing.

    2. Red Canary will coordinate the telemetry connection with Carbon Black and notify you when data is successfully flowing between the platforms.

    3. Red Canary will configure an alert source for Carbon Black that sends each Carbon Black alert to Red Canary for investigation.

    This process generally takes one to two days, depending on Carbon Black’s responsiveness on setting up their side of the integration.

    FAQ

    What kind of Carbon Black data does Red Canary process?

    We receive all of the data collected by your Carbon Black sensors, as well as a number of system events generated by the Carbon Black platform. Endpoint telemetry is used for detection purposes.

    What happens to my Carbon Black alerts when I activate Red Canary?

    If your Carbon Black subscription includes Enterprise Standard (formerly known as Carbon Black Defense), Red Canary processes every alert generated by Carbon Black’s detection rules to determine if it was a true or false positive. Red Canary’s investigation of these alerts adds additional context to confirmed alerts to accelerate your response.

    Can I export the data collected by Carbon Black?

    Yes. You can use the Canary Exporter to export Carbon Black telemetry from Red Canary into your SIEM, long-term storage, or other processing pipeline. For more information, see Export data from Red Canary.

    Why am I unable to remove the sensor? 

    This is commonly seen when the installation process has been corrupted. 

    Carbon Black has created a sensor removal tool that does not require safe mode and should be used in cases where you cannot get the endpoint into safe mode OR you have a system that cannot take downtime.

    Learn more about using the sensor removal tool.

     


    Was this article helpful?