# Vmware carbon black
SureCloud connects to VMware Carbon Black to retrieve endpoint inventory, sensor deployment status, and threat detection data. This integration covers VMware Carbon Black Cloud (CBC), VMware Carbon Black App Control (CBAC), and VMware Carbon Black EDR (formerly Cb Response), providing evidence that endpoint security controls are active and that detected threats are being tracked.
{% hint style="info" %}
If your organisation uses Carbon Black Cloud exclusively (without App Control or on-premises EDR), the [Carbon Black](broken://pages/758ecf2f24cfb078945381c4af1de26778f7a9d7) integration page provides equivalent coverage. This page covers deployments that span multiple Carbon Black products or use App Control and on-premises EDR components.
{% endhint %}
## Authentication and setup
Authentication varies by Carbon Black product. SureCloud supports API key authentication for all VMware Carbon Black products.
{% tabs %}
{% tab title="Carbon Black App Control (CBAC)" %}
{% stepper %}
{% step %}
**Generate an API token in App Control**
Log in to the Carbon Black App Control console. Navigate to **Profile → API Token** and click **Generate API Token**. Copy the token.
{% endstep %}
{% step %}
**Enter the credentials in SureCloud**
Navigate to **SureCloud → Integrations → VMware Carbon Black → Connect (App Control)**. Enter the App Control server URL and the API token. Click **Save** and then **Test Connection**.
{% endstep %}
{% endstepper %}
{% endtab %}
{% tab title="Carbon Black EDR (on-premises)" %}
{% stepper %}
{% step %}
**Generate an API token in Cb EDR**
Log in to the Carbon Black EDR server console. Navigate to **User Profile → API Token** and copy the token.
{% endstep %}
{% step %}
**Enter the credentials in SureCloud**
Navigate to **SureCloud → Integrations → VMware Carbon Black → Connect (EDR)**. Enter the EDR server URL and the API token. Click **Save** and then **Test Connection**.
{% endstep %}
{% endstepper %}
{% hint style="warning" %}
Store API tokens securely. SureCloud encrypts them at rest, but treat them as sensitive credentials. Rotate every 90 days and update in **SureCloud → Integrations → VMware Carbon Black → Edit Connection**.
{% endhint %}
{% endtab %}
{% endtabs %}
## Endpoints
**App Control:**
| API Call | Use Case |
| ----------------------------------- | ------------------------------------------------------- |
| `GET /api/bit9platform/v1/computer` | Enumerate managed endpoints and their enforcement level |
| `GET /api/bit9platform/v1/policy` | Retrieve application control policies |
| `GET /api/bit9platform/v1/event` | Retrieve security events and policy violations |
**Carbon Black EDR (on-premises):**
| API Call | Use Case |
| --------------------- | -------------------------------------------------------------- |
| `GET /api/v1/sensor` | Enumerate sensors (endpoints) and their connection status |
| `GET /api/v1/alert` | Retrieve EDR alerts and detection events |
| `GET /api/v1/process` | Retrieve process execution records for threat hunting evidence |
## Pagination
App Control and EDR API endpoints use `start` and `rows` parameters. SureCloud increments `start` by `rows` until the returned count falls below the page size.
```json
GET /api/bit9platform/v1/computer?start=200&rows=200
```
## Required permissions
SureCloud requires read-only API tokens for each Carbon Black product component. No write, block, or policy-enforcement permissions are required.
## Polling frequency
| Data Type | Interval |
| --------------------------------- | -------------- |
| Endpoint and sensor inventory | Every 24 hours |
| Threat alerts and security events | Every 4 hours |
| Policy configuration | Every 24 hours |
## Troubleshooting
Connection test returns 401 Unauthorized
The API token is invalid or has been revoked. Regenerate the token within the respective Carbon Black product console and update it in **SureCloud → Integrations → VMware Carbon Black → Edit Connection**.
On-premises server is unreachable
Carbon Black App Control and EDR are deployed on-premises. Confirm the server URL is accessible from the SureCloud collector network over HTTPS. Contact SureCloud Support for firewall requirements.
Process data returns large volumes and causes timeouts
Carbon Black EDR process data can be very large. SureCloud applies time-range and count limits to process queries to avoid timeout issues. If process evidence is required for a specific investigation, use the Carbon Black EDR console directly for detailed forensic queries.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://surecloud.gitbook.io/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/vmware-carbon-black.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.