VMware Carbon Black is an endpoint security platform that offers in-depth insights into endpoint activities, helping you to pinpoint malicious events and trace breach origins. Panther’s native SIEM integration enables you to quickly collect, normalize, and monitor Carbon Black logs, giving your security team complete visibility over events in your Carbon Black tenant. Your normalized data is then retained to power future security investigations in a serverless data lake powered by Snowflake.
Use Cases for Carbon Black Logs
Panther offers native support for Carbon Black audit logs, which capture events such as login attempts, the creation or modification of connectors, and Live Response events. Some common SIEM use cases for these logs include:
- Real-time monitoring for endpoint activity and threats
- Detecting malicious or suspicious behavior on endpoints
- Corroborating Carbon Black events with other data sources
Onboarding Carbon Black Logs in Panther
Panther’s integration for Carbon Black is easy to configure, allowing you to stream your data into Panther in just a few minutes. You can simply select Carbon Black Events from the list of log sources in the Panther console, generate an API key in Carbon Black, and submit your key and credentials into Panther.
For more detailed onboarding steps or to view Panther’s pre-built schema for Carbon Black audit logs, check out our Carbon Black documentation here.
Normalizing & Analyzing Carbon Black Logs
As Panther ingests Carbon Black logs, they are parsed, normalized, and stored in a Snowflake security data lake. This empowers security teams to craft detections, identify anomalies, and conduct investigations on your data in the context of days, weeks, or months.
Panther’s managed schema will apply normalization fields to your Carbon Black logs, which standardize names for attributes and empower users to correlate and investigate data across all log types. For more on searching log data in Panther, check out our documentation on Investigations & Search.
Detection as Code
With Panther, your team won’t be confined to restrictive detection rules or domain-specific query languages as seen in many SIEM platforms. Panther is built with detection-as-code principles, giving you the ability to write Python to define detection logic and to integrate external systems like version control and CI/CD pipelines into your detection engineering workflows. This results in powerful, flexible, and reusable scripting of detections for your security team.
Panther triggers alerts when your detection rules or policies are matched, and integrates with a variety of alert destinations to allow for easy access and management of any Carbon Black alerts. Alerts can also be forwarded to alert context or SOAR platforms for more remediation options.
Alerts are categorized in five different severity levels: Info, Low, Medium, High, and Critical. Security teams have the options to dynamically assign severity based on specific log event attributes.
If you have any questions about configuring or monitoring Carbon Black logs in Panther, we’re here to help. All customers have access to our technical support team via a dedicated Slack channel, email, or in-app messenger.
You can view our documentation on configuring and monitoring Carbon Black logs here, or customers can sign up for the Panther Community to share best practices or custom detections for monitoring Carbon Black.
The Ideal SIEM Integration for Carbon Black
With Panther, security teams don’t have to struggle with restrictive detection logic, waste time and resources on operational overhead, or pay skyrocketing costs to keep up with the growth of their organization’s data. Panther was founded by a team of veteran security practitioners who struggled with legacy SIEM challenges first-hand, and built an intuitive, cloud-native platform to solve them.
Panther is a cloud SIEM built for security operations at scale, offering easy data ingestion, flexible detection-as-code, and intuitive alert and response workflows to keep up with the needs of today’s security teams. For a powerful, flexible, and scalable SIEM integration for Carbon Black, request a demo today.