Re: Carbon Black - Technology Integrations

Thanks Jesse

for now we're just waiting on a VLC in the DMZ for SYSLOGTLS -> VLC . In terms of architecture though , the preference is still pull. [not sure how flexible the source IP restrictions for CBER cloud will be for writing FW rules for inbound syslogtls ]

>to support native calls from a VLC to the API service

                we've seen that done in the AWS cloudtrail plugin, is there any documentation for writing generic web collection ones [perhaps a useful use case will be generic s3 bucket collection + json to syslog – similar to what’s done with cloudtrail]

                is there any documentation on writing the transforms for JSON files [I guess for CB there's 2 choices - LEEF or JSON]

                ideally with proxy support for the API HTTPS reqs.

>Since this is a supported methodology from RSA it also has the benefit of being configurable via the SA GUI once you have successfully configured the poll

                i thought it was what the customers wanted documented but was only 'supported by paying money to prof services to develop for you' ?

>SNARE Epilog

                thanks, that looks interesting.

>If you have a VLC in a DMZ you could also host the calls to the API service on that VLC, write the logs to a file, then use the file reader service on the VLC to ingest the logs.

                interesting, haven't thought of doing that... We do that for IIS, but the uploading and incremental bits are managed by SFTPNIC agent.