IDR & Carbon Black Defense Event Source

Hi there community peeps! Had a quick question to see if anyone has had any experience with getting the Carbon Black Defense Event source setup? I seem to be running into some slight difficulties getting it work and just wanted to see anyone may have some advice on the configuration aspect?

Thank you

@patrick_hook - What’s the issue you’re running into? This might be something best handled by our Support team but want to make sure we can’t help before we go down that path :slight_smile:

Hi Aniket,

I followed the docs from Rapid 7 / Carbon Black. Can not seem to get the event source to ingest data. I have a support case open with Rapid, but I was hoping maybe another user on the forum may have had some gotcha experience or had experienced this challenge before :smirk:

I am happy to report I figured out the issue. There is a very important step one must do when configuring this event source. In the Carbon Black Defense console, you must go to settings, notifications & then configure threat notifications for your api key and set the threshold.

The docs provided on the rapid 7 side do not seem to mention this and after reviewing the carbon black docs they dont really do it justice either lol. Link below to the rapid documentation if someone from rapid wanted to make a note of this =)


@patrick_hook Brilliant! Thanks a ton man. We will send this over to docs team as well to get the guide updated. So glad to have you as part of our community! :100: :boom:

1 Like