- 15 Jul 2024
- 5 Minutes to read
- PDF
How Red Canary Works with Carbon Black Response
- Updated on 15 Jul 2024
- 5 Minutes to read
- PDF
Red Canary’s partnership with Carbon Black began shortly after their launch of the first telemetry collection endpoint detection and response (EDR) sensor (now called Carbon Black EDR). Together we paired their industry-best telemetry collection with Red Canary’s industry-best security operations to deliver exceptional security outcomes to our joint users.
The Red Canary and Carbon Black technology integration leverages an event forwarder designed in partnership with our engineering teams that forwards the complete set of telemetry collected by the Carbon Black sensor to Red Canary.
While most companies’ Carbon Black integrations use a handful of watchlists in Carbon Black to achieve their detection use cases, Red Canary’s low-level integration leverages the raw telemetry against thousands of detection analytics that are more expressive and feature rich than watchlists.
This combination of Carbon Black telemetry and Red Canary’s detection and response delivers the best security outcomes for Carbon Black users.
How it works
Red Canary and Carbon Black use several integration points to implement exceptional security operations. There are three deployment models available.
Most users have Red Canary host and manage their Carbon Black EDR deployment. Our team has been managing Carbon Black EDR deployments longer than any other company and operates hundreds of them. We carefully tune these deployments to optimize for speed of telemetry collected from your endpoints, frequently at our own expense for better performance.
The second deployment model is available for organizations that have Carbon Black hosting their Carbon Black EDR platform. In this deployment model, Carbon Black hosts an event forwarder that sends telemetry to Red Canary and allows our platform to connect to your Carbon Black EDR deployment.
A final, though rare, deployment model is for organizations that are already running a Carbon Black EDR deployment inside their network. This model is not ideal for many reasons: Red Canary loses our ability to control the server’s tuning and configuration and we are unable to add additional hardware when scaling, but it may be approved under certain circumstances.
In this deployment model, a VPN connection is established from your Carbon Black EDR server to Red Canary’s infrastructure to facilitate secure communication between the platforms.
Getting started
If Red Canary is hosting and managing your Carbon Black EDR deployment (most common), there’s nothing you need to do. We’ve done it all!
If you are connecting Red Canary to a Carbon Black-hosted Carbon Black EDR deployment:
Share your Carbon Black EDR console URL with Red Canary so we can record the deployment name and region.
Submit a support case in your Carbon Black support portal requesting that they “Please apply the Red Canary profile to our instance.” This instructs Carbon Black to grant Red Canary access to your Carbon Black console and begin sending your telemetry to Red Canary for processing.
Red Canary will coordinate the telemetry connection with Carbon Black and notify you when data is successfully flowing between the platforms.
If you are connecting Red Canary to a Carbon Black EDR deployment running in your network, Red Canary will provide an integration guide that we’ll work through together. In summary:
Red Canary will configure a VPN client and credentials package for your team to install on your Carbon Black EDR server.
You will install that VPN package and configure your Carbon Black EDR server to allow a Red Canary-hosted event forwarder to retrieve telemetry from your Carbon Black server.
You will create user accounts for the Red Canary platform to connect to your Carbon Black EDR server.
FAQ
What kind of Carbon Black data does Red Canary process?
We receive all of the data collected by your Carbon Black sensors, as well as a number of system events generated by the Carbon Black platform. Endpoint telemetry is used for detection purposes; for Red Canary-hosted deployments, several system events become audit logs in the Red Canary platform.
Can I export the data collected by Carbon Black?
Absolutely. You can use the Canary Exporter to export Carbon Black telemetry from Red Canary into your SIEM, long-term storage, or other processing pipeline. Learn more about Export data from Red Canary.
What if I observe high CPU performance on a Windows endpoint?
You would typically see these types of things on some of the following types of servers:
Domain controllers
DHCP/DNS servers
Exchange servers
An application server that would require this type of lookup
You can observe this behavior by pulling up “Task Manager,” where you may find that the (cb.exe) has a higher percentage of the available CPU.
To resolve this issue you need to add the following registry entry and restart the server:
[HKEY_LOCAL_MACHINE\SOFTWARE\CarbonBlack\config]
"DisableNetConnNameResolution"=dword:00000001
What do I do if I have installed the sensor but the endpoint does not show up in Red Canary or my Vmware Carbon Black EDR instance?
You can run through several steps to troubleshoot network connectivity:
Ensure cb.exe is running (visible to administrators via Task Manager) and the Carbon Black Sensor service shows as Running in the Services list.
Ensure that nothing is blocking communications to the VMware server at https://cb.demo.my.redcanary.co:443 .
There may be a firewall (either host-based or network-based), web filter/proxy, etc. that is preventing SSL communications outbound to the Cb server.
DNS resolution must also be properly functioning on the system so the Cb server URL can be resolved to the appropriate IP address.
Visit the above URL using a web browser on the non-reporting system.
You may see an initial error related to the self-signed cert, but if you proceed through the error, you will see a Cb login screen if the traffic was permitted.
If you don’t see any response at all, this is likely due to a traffic block.
If the above doesn’t help, rebooting is worth a try, if business operations allow.
There is a known issue where Windows XP/2003 systems sometimes need to be rebooted after sensor installation, but this does not apply to Windows 7/2008 and above.
How can I fix duplicate sensorIDs?
The easiest way for a Windows system to get a new sensorID without reinstalling is to change a registry setting:
Open up Services and stop the Cb sensor service.
Open up regedit.
Open the key /HKEY_LOCAL_MACHINE/SOFTWARE/CarbonBlack/config/.
Open up SensorID and change the value to 0.
Start the Cb sensor service.
What are the Networking requirements for VMware Carbon Black?
When you deploy Carbon Black Cloud Enterprise EDR sensors, you want to know all of the associated network requirements so that your sensors will communicate properly and behave as expected.
The following documentation includes all the allowlist domains and IPs necessary to deliver telemetry to Red Canary: