Partner Perspectives: SOAR with Demisto and Carbon Black

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Abhishek Iyer is the Technical Marketing Manager for Demisto.

Automate your Endpoint Protection and Incident Response

Demisto’s security orchestration and automation platform enables organizations to standardize, automate and coordinate response processes across their security stack. Playbooks powered by thousands of security actions make scalable, accelerated incident response a reality. New forms of sophisticated cybersecurity threats targeting enterprises continually emerge utilizing multiple attack vectors. In this environment, understanding attack components, responding quickly, monitoring endpoint vitals and ensuring continuous compliance become vital. Analysts need a platform that enables complete visibility over servers, critical systems and endpoints, while also allowing them to proactively hunt for and respond to threats.

Carbon Black users can now leverage Demisto’s security orchestration and automation capabilities with Cb Defense, Cb Response and Cb Protection to coordinate application and compliance control, endpoint detection and response (EDR) and SOC incident response from a single console.  

Carbon Black + Demisto Integration Highlights:

  • Create Demisto incidents and trigger playbooks in response to alerts from Cb Response for enrichment, triage and resolution.
  • Run automation scripts for Cb Defense actions, including quarantining devices, blocking malicious files and updating watchlists.
  • Trigger playbooks in response to policy changes in Cb Protection.
  • Automate Cb Protection policy actions as playbook tasks.
  • Leverage hundreds of Demisto product integrations to enrich Carbon Black alerts and coordinate response across security functions.
  • Run hundreds of commands (including for Carbon Black) interactively via the ChatOps interface while collaborating with other analysts and Demisto AI.



JOINT USE CASE #1: Automated Endpoint Protection and Incident Response

Challenge: If SOCs use different solutions for incident response, threat hunting and EDR, it can be tough to track the lifecycle of an incident due to flitting between screens, fragmented information and lack of single-window documentation.

Solution: If SOCs use Cb Defense for EDR, Cb Response for incident response and Demisto Enterprise for security orchestration and automation, they can automate incident creation and trigger playbooks in Demisto for specific types of Cb Response alerts. This playbook will orchestrate investigative actions across an SOC’s suite of products in a single screen and seamless workflow.


For example, analysts can leverage Cb Defense to get alert details, device statuses and processes as automated playbook tasks.   

Benefit: Demisto playbooks coupled with Cb Defense actions can standardize and speed up triage and resolution of Cb Response alerts. Analysts can get a comprehensive view of the incident lifecycle, access documentation from a single source and forego the need to switch between screens while performing investigative actions.


JOINT USE CASE #2: Automated Security Policy and Compliance Management

Challenge: As organizations scale, coordinating security policy and software management across heterogeneous systems and environments becomes tough. Managers face many challenges, including trying to unify security policy actions across disparate networks, and tying-in these actions with incident response and other security measures.

Solution: SOCs can integrate Cb Response, Cb Protection and Demisto for seamless incident response and policy management.

For instance, a Cb Response alert can trigger a playbook in Demisto that, among other things, checks the Cb Protection console for additional system details and file catalogs. If the incident resolution involves an update to security policy rule sets, the playbook can also orchestrate those tasks instead of leaving them to security policy managers.

Benefit: Demisto acts as a bridge between Cb Response, Cb Protection and other security products that SOCs may use to both accelerate incident response and orchestrate any allied tasks that fall outside of its typical procedures. This ensures standardized response and updates, reduced effort and time through automation, and archived documentation for future learning.

With Demisto’s technology partner base, these use cases just scratch the surface of potential actions analysts can orchestrate using Carbon Black products as one of the components. If you’re new to Demisto and interested in exploring this integration among others, we invite you to sign up for the Demisto Community Edition below.



The post Partner Perspectives: SOAR with Demisto and Carbon Black appeared first on Carbon Black.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Carbon Black, Inc.
Carbon Black is the leading provider of next-generation endpoint security. Carbon Black’s Next-Generation Antivirus (NGAV) solution, Cb Defense, leverages breakthrough prevention technology, “Streaming Prevention,” to instantly see and stop cyberattacks before they execute. Cb Defense uniquely combines breakthrough prevention with market-leading detection and response into a single, lightweight agent delivered through the cloud. With more than 7 million endpoints under management, Carbon Black has more than 2,500 customers, including 30 of the Fortune 100. These customers use Carbon Black to replace legacy antivirus, lock down critical systems, hunt threats, and protect their endpoints from the most advanced cyberattacks, including non-malware attacks.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?