Red Canary’s partnership with Carbon Black began shortly after their launch of the first telemetry collection endpoint detection and response (EDR) sensor (now called Carbon Black EDR). Together we paired their industry-best telemetry collection with Red Canary’s industry-best security operations to deliver exceptional security outcomes to our joint users.
The Red Canary and Carbon Black technology integration leverages an event forwarder designed in partnership with our engineering teams that forwards the complete set of telemetry collected by the Carbon Black sensor to Red Canary.
While most companies’ Carbon Black integrations use a handful of watchlists in Carbon Black to achieve their detection use cases, Red Canary’s low-level integration leverages the raw telemetry against thousands of detection analytics that are more expressive and feature rich than watchlists.
This combination of Carbon Black telemetry and Red Canary’s detection and response delivers the best security outcomes for Carbon Black users.
How it works
Red Canary and Carbon Black use several integration points to implement exceptional security operations. There are three deployment models available.
Most users have Red Canary host and manage their Carbon Black EDR deployment. Our team has been managing Carbon Black EDR deployments longer than any other company and operates hundreds of them. Our team carefully tunes these deployments to optimize for speed of telemetry collected from your endpoints, frequently at our own expense for better performance.
The second deployment model is available for organizations that have Carbon Black hosting their Carbon Black EDR platform. In this deployment model, Carbon Black hosts an event forwarder that sends telemetry to Red Canary and allows our platform to connect to your Carbon Black EDR deployment.
A final, though rare, deployment model is for organizations that are already running a Carbon Black EDR deployment inside their network. This model is not ideal for many reasons: Red Canary loses our ability to control the server’s tuning and configuration and we are unable to add additional hardware when scaling, but it may be approved under certain circumstances.
In this deployment model, a VPN connection is established from your Carbon Black EDR server to Red Canary’s infrastructure to facilitate secure communication between the platforms.
If Red Canary is hosting and managing your Carbon Black EDR deployment (most common), there’s nothing you need to do. We’ve done it all!
If you are connecting Red Canary to a Carbon Black-hosted Carbon Black EDR deployment:
- Share your Carbon Black EDR console URL with Red Canary so we can record the deployment name and region.
- Submit a support case in your Carbon Black support portal requesting that they “Please apply the Red Canary profile to our instance.” This instructs Carbon Black to grant Red Canary access to your Carbon Black console and begin sending your telemetry to Red Canary for processing.
- Red Canary will coordinate the telemetry connection with Carbon Black and notify you when data is successfully flowing between the platforms.
If you are connecting Red Canary to a Carbon Black EDR deployment running in your network, Red Canary will provide an integration guide that we’ll work through together. In summary:
- Red Canary will configure a VPN client and credentials package for your team to install on your Carbon Black EDR server.
- You will install that VPN package and configure your Carbon Black EDR server to allow a Red Canary-hosted event forwarder to retrieve telemetry from your Carbon Black server.
- You will create user accounts for the Red Canary platform to connect to your Carbon Black EDR server.
What kind of Carbon Black data does Red Canary process?
We receive all of the data collected by your Carbon Black sensors, as well as a number of system events generated by the Carbon Black platform. Endpoint telemetry is used for detection purposes; for Red Canary-hosted deployments, several system events become audit logs in the Red Canary platform.
Can I export the data collected by Carbon Black?
Absolutely. You can use the Canary Exporter to export Carbon Black telemetry from Red Canary into your SIEM, long-term storage, or other processing pipeline. Learn more about exporting telemetry from Red Canary.