In Carbon Black Cloud under "Settings > API Access" customers may see that there is already an API key configured for Red Canary (i.e "redcanary.svc Red Canary live response").
VMware Carbon Black EDR (CB Response)
VMware Carbon Black Cloud
The "redcanary.svc Red Canary live response" API is what allows Red Canary to use Carbon Black Live Response in order to perform automate functions. These functions include: Kill process, capture/delete file, etc. This does NOT mean that Red Canary uses the API to perform arbitrary Live Response actions locally on endpoints. This is only used so that Red Canary can utilize automate functions within Carbon Black when necessary.
The Red Canary Platform makes various API calls back to the EDR product for data enrichment, response actions, remediation actions, and investigative automation tasks. Due to the way that Carbon Black created their role based access and permission architecture, there is no one single API key that can perform all tasks.
Below is a brief explanation for each API Key Red Canary creates:
API specifically for banning a binary from executing. Red Canary and now Cloudflare is included in the early preview of this new feature. Currently, CB sets the permissions requiring a separate key.
- redcanary.cbcef Red Canary event forwarding
Primary method of Red Canary to gain endpoint visibility through the CBC Event Forwarder.
- redcanary.svcRed Canary live response
Provides enrichment capability for endpoint data not present in the Event Forwarder stream (i.e. all endpoints active in the past 6 hours), provides investigation capability included in Red Canary (i.e. full process tree), and the ability for response/remediation actions through Red Canary Automate (i.e. Isolate, de-isolate, capture file, delete file, etc.)