From 31bcf0a7e5a1680221e86565ddc5c9afa1bcbe2c Mon Sep 17 00:00:00 2001 From: Amee Lepcha Date: Tue, 7 Oct 2025 18:04:33 +0530 Subject: [PATCH 1/3] Carbon Black Inventory --- blog-service/2025-10-07-apps.md | 12 ++ cid-redirects.json | 1 + .../product-list/product-list-a-l.md | 1 + .../saas-cloud/carbon-black-inventory.md | 137 ++++++++++++++++++ docs/integrations/saas-cloud/index.md | 6 + sidebars.ts | 1 + 6 files changed, 158 insertions(+) create mode 100644 blog-service/2025-10-07-apps.md create mode 100644 docs/integrations/saas-cloud/carbon-black-inventory.md diff --git a/blog-service/2025-10-07-apps.md b/blog-service/2025-10-07-apps.md new file mode 100644 index 0000000000..8ad93b88c0 --- /dev/null +++ b/blog-service/2025-10-07-apps.md @@ -0,0 +1,12 @@ +--- +title: Carbon Black Inventory (Apps) +image: https://help.sumologic.com/img/reuse/rss-image.jpg +keywords: + - apps + - carbon-black-inventory +hide_table_of_contents: true +--- + +import useBaseUrl from '@docusaurus/useBaseUrl'; + +We're excited to introduce the new Sumo Logic app for Carbon Black Inventory. This app offers you enhanced capabilities to identify risks and configuration gaps in your environment. [Learn more](/docs/integrations/saas-cloud/carbon-black-inventory/). \ No newline at end of file diff --git a/cid-redirects.json b/cid-redirects.json index 0db1bc8257..d3c059db11 100644 --- a/cid-redirects.json +++ b/cid-redirects.json @@ -2946,6 +2946,7 @@ "/cid/1108": "/docs/integrations/saas-cloud/trellix-mvision-epo", "/cid/1110": "/docs/integrations/microsoft-azure/azure-security-microsoft-defender-for-identity", "/docs/integrations/microsoft-azure/microsoft-defender-for-identity/": "/docs/integrations/microsoft-azure/azure-security-microsoft-defender-for-identity", + "/cid/1112": "/docs/integrations/microsoft-azure/carbon-black-inventory", "/Cloud_SIEM_Enterprise": "/docs/cse", "/Cloud_SIEM_Enterprise/Administration": "/docs/cse/administration", "/Cloud_SIEM_Enterprise/Administration/Cloud_SIEM_Enterprise_Feature_Update_(2022)": "/docs/cse/administration", diff --git a/docs/integrations/product-list/product-list-a-l.md b/docs/integrations/product-list/product-list-a-l.md index 27b7b5320d..7f80f07420 100644 --- a/docs/integrations/product-list/product-list-a-l.md +++ b/docs/integrations/product-list/product-list-a-l.md @@ -146,6 +146,7 @@ For descriptions of the different types of integrations Sumo Logic offers, see [ | Thumbnail icon | [Cassandra](https://cassandra.apache.org/) | Apps:
- [Cassandra](/docs/integrations/databases/cassandra/)
- [Cassandra - OpenTelemetry](/docs/integrations/databases/opentelemetry/cassandra-opentelemetry/) | | Thumbnail icon | [Catchpoint](https://www.catchpoint.com/) | Partner integration: [Catchpoint](https://github.com/catchpoint/Integrations.SumoLogic/blob/main/README.md) | | Thumbnail icon | [Cato Networks](https://www.catonetworks.com/) | App: [Cato Networks](/docs/integrations/saas-cloud/cato-networks/)
Cloud SIEM integration: [Cato Networks](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/53e043b0-76e3-471a-84ec-0266a4f3b279.md)
Collector: [Cato Networks Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cato-networks-source/) | +| Thumbnail icon | Carbon Black Inventory | App: [Carbon Black Inventory](/docs/integrations/saas-cloud/carbon-black-inventory/)
Collector: [Carbon Black Inventory Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cato-networks-source/) | | Thumbnail icon | [Censys](https://censys.com/) | Automation integrations:
- [Censys](/docs/platform-services/automation-service/app-central/integrations/censys/)
- [Censys V2](/docs/platform-services/automation-service/app-central/integrations/censys-v2/) | | Thumbnail icon | [Certego](https://www.certego.net/) | Automation integration: [Certego](/docs/platform-services/automation-service/app-central/integrations/certego/) | | Thumbnail icon | [ChatGPT Compliance](https://chatgpt.com/) | Collector: [ChatGPT Compliance Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/chatgpt-compliance-source) | diff --git a/docs/integrations/saas-cloud/carbon-black-inventory.md b/docs/integrations/saas-cloud/carbon-black-inventory.md new file mode 100644 index 0000000000..12839e95c7 --- /dev/null +++ b/docs/integrations/saas-cloud/carbon-black-inventory.md @@ -0,0 +1,137 @@ +--- +id: carbon-black-inventory +title: Carbon Black Inventory +sidebar_label: Carbon Black Inventory +description: The Sumo Logic app for Carbon Black Inventory enables security analysts identify risks and configuration gaps to improve endpoint hygiene, faster response, and stronger overall security. +--- + +import useBaseUrl from '@docusaurus/useBaseUrl'; + +Carbon Black Inventory icon + +The Sumo Logic app for Carbon Black Inventory offers comprehensive visibility into endpoint assets and their security posture across your environment. By consolidating key device data, including total device counts, compliance status, antivirus and sensor health, and vulnerability levels, the app enables security teams to quickly identify at-risk endpoints and configuration gaps. + +Dedicated panels highlight quarantined devices, non-compliant endpoints, systems with passive or outdated sensors, and devices lacking recent antivirus scans, allowing you to efficiently monitor operational hygiene and security coverage. Visualizations by operating system, vulnerability severity, and geographic location provide valuable context for prioritizing patching and remediation. + +By surfacing high-priority issues, such as stale endpoints, disabled firewalls, or devices located in embargoed regions, alongside a complete inventory summary, the Sumo Logic app for Carbon Black Inventory helps you maintain strong endpoint hygiene, reduce risk exposure, and support compliance initiatives. This unified view empowers teams to respond faster, improve device management, and strengthen security across the IT environment. + +:::info +This app includes [built-in monitors](#carbon-black-inventory-alerts). For details on creating custom monitors, refer to [Create monitors for Carbon Black Inventory app](#create-monitors-for-the-carbon-black-inventory-app). +::: + +## Log types + +This app uses Sumo Logic’s [Carbon Black Inventory Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/carbon-black-inventory-source/) to collect device logs from the Carbon Black Inventory platform. + +## Sample log message + +
+Device Log + +```json +{ + "id": 2008, + "name": "Device-NotReporting", + "os": "WINDOWS", + "os_version": "Windows 7", + "last_external_ip_address": "2.58.14.95", + "quarantined": false, + "compliance_status": "COMPLIANT", + "host_based_firewall_status": "ENABLED", + "av_status": [ + "AV_ACTIVE" + ], + "sensor_pending_update": false, + "sensor_out_of_date": false, + "passive_mode": false, + "sensor_states": [ + "LIVE_RESPONSE_NOT_RUNNING" + ], + "av_last_scan_time": "2025-09-25T19:11:38.742Z", + "vulnerability_score": 2.5, + "vulnerability_severity": "LOW", + "last_contact_time": "2025-09-25T19:11:38.742Z", + "last_reported_time": "2025-09-25T19:11:38.742Z", + "registered_time": "2025-09-25T19:11:38.742Z" +} +``` +
+ +## Sample queries + +```sql title="Total Devices" +_sourceCategory="Labs/CarbonBlackInventory" +| json "id", "quarantined", "compliance_status", "host_based_firewall_status", "av_status", "sensor_pending_update", "os", "vulnerability_severity", "last_external_ip_address", "sensor_states", "passive_mode", "name", "sensor_out_of_date", "last_reported_time", "last_contact_time", "registered_time", "vulnerability_score", "os_version", "av_last_scan_time" as id, quarantined, compliance_status, host_based_firewall_status, av_status_list, sensor_pending_update, os, vulnerability_severity, last_external_ip_address, sensor_states_list, passive_mode, name, sensor_out_of_date, last_reported_time, last_contact_time, registered_time, vulnerability_score, os_version, av_last_scan_time nodrop + +| where os matches "*" +| where vulnerability_severity matches "*" + +| count by id +| count +``` + +## Collection configuration and app installation + +import CollectionConfiguration from '../../reuse/apps/collection-configuration.md'; + + + +:::important +Use the [Cloud-to-Cloud Integration for Carbon Black Inventory](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/carbon-black-inventory-source/) to create the source and use the same source category while installing the app. By following these steps, you can ensure that your Carbon Black Inventory app is properly integrated and configured to collect and analyze your Carbon Black Inventory data. +::: + +### Create a new collector and install the app + +import AppCollectionOPtion1 from '../../reuse/apps/app-collection-option-1.md'; + + + +### Use an existing collector and install the app + +import AppCollectionOPtion2 from '../../reuse/apps/app-collection-option-2.md'; + + + +### Use an existing source and install the app + +import AppCollectionOPtion3 from '../../reuse/apps/app-collection-option-3.md'; + + + +## Viewing the Carbon Black Inventory dashboards​​ + +import ViewDashboards from '../../reuse/apps/view-dashboards.md'; + + + +### Overview + +The **Carbon Black Inventory – Overview** dashboard offers a comprehensive snapshot of endpoint assets and their security posture. It highlights key metrics such as total device count, quarantined systems, compliance issues, and devices with outdated scans or disabled protections. The dashboard also provides visibility into inactive or outdated sensors, non-reporting endpoints, and pending sensor updates, along with breakdowns by operating system, vulnerability severity, and geographic location. By consolidating these insights into a unified view, it enables security teams to quickly identify at-risk devices, maintain compliance, and prioritize remediation efforts to improve endpoint hygiene and reduce organizational risk.
Carbon-Black-Inventory-Overview-Dashboard + +## Create monitors for the Carbon Black Inventory app + +import CreateMonitors from '../../reuse/apps/create-monitors.md'; + + + +### Carbon Black Inventory alerts + +| Name | Description | Trigger Type (Critical / Warning / MissingData) | Alert Condition | +|:--|:--|:--|:--| +| `Carbon Black Inventory – Devices from Embargoed Locations` | This alert is triggered when one or more endpoints report external IP addresses associated with embargoed or restricted geographies. This helps ensure compliance with corporate and regulatory security requirements. | Critical | Count > 0 | +| `Carbon Black Inventory – Firewall Disabled Devices` | This alert is triggered when an endpoint's host-based firewall protection is disabled, increasing exposure to network-based attacks and lateral movement. | Critical | Count > 0| +| `Carbon Black Inventory – Endpoints Not Reporting` | This alert is triggered when a device has not communicated with Carbon Black for more than 7 days, potentially indicating an unmanaged, offline, or compromised endpoint. | Critical | Count > 0| +| `Carbon Black Inventory – Outdated or Inactive Sensors` | This alert is triggered when endpoints are running outdated sensors or have inactive sensor states, which may reduce visibility and impair policy enforcement. | Critical | Count > 0| +| `Carbon Black Inventory – High Vulnerability Devices` | This alert is triggered when endpoints report high or critical vulnerability scores, highlighting an elevated risk of exploitation and the need for prioritized patching. | Critical | Count > 0| + +## Upgrading/Downgrading the Carbon Black Inventory app (Optional) + +import AppUpdate from '../../reuse/apps/app-update.md'; + + + +## Uninstalling the Carbon Black Inventory app (Optional) + +import AppUninstall from '../../reuse/apps/app-uninstall.md'; + + diff --git a/docs/integrations/saas-cloud/index.md b/docs/integrations/saas-cloud/index.md index 779866ccc4..ebed89caf9 100644 --- a/docs/integrations/saas-cloud/index.md +++ b/docs/integrations/saas-cloud/index.md @@ -93,6 +93,12 @@ Learn about the Sumo Logic apps for SaaS and Cloud applications.

Gain insight into user behavior patterns and resources.

+
+
+ icon

Carbon Black Inventory

 +

Gain insight into endpoint assets and their security status in your environment.

+
+
icon

Cato Networks

 diff --git a/sidebars.ts b/sidebars.ts index d45bea35be..7af6375b8d 100644 --- a/sidebars.ts +++ b/sidebars.ts @@ -2556,6 +2556,7 @@ integrations: [ 'integrations/saas-cloud/aws-iam-users', 'integrations/saas-cloud/bitwarden', 'integrations/saas-cloud/box', + 'integrations/saas-cloud/carbon-black-inventory', 'integrations/saas-cloud/cato-networks', 'integrations/saas-cloud/cisco-amp', 'integrations/saas-cloud/cisco-meraki-c2c', From 35ccf16e5af35e390a4190aaca8c9035e09c7979 Mon Sep 17 00:00:00 2001 From: Amee Lepcha Date: Tue, 7 Oct 2025 18:17:38 +0530 Subject: [PATCH 2/3] Update cid-redirects.json --- cid-redirects.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cid-redirects.json b/cid-redirects.json index d3c059db11..6ecd9f00a4 100644 --- a/cid-redirects.json +++ b/cid-redirects.json @@ -2946,7 +2946,7 @@ "/cid/1108": "/docs/integrations/saas-cloud/trellix-mvision-epo", "/cid/1110": "/docs/integrations/microsoft-azure/azure-security-microsoft-defender-for-identity", "/docs/integrations/microsoft-azure/microsoft-defender-for-identity/": "/docs/integrations/microsoft-azure/azure-security-microsoft-defender-for-identity", - "/cid/1112": "/docs/integrations/microsoft-azure/carbon-black-inventory", + "/cid/1112": "/docs/integrations/saas-cloud/carbon-black-inventory/", "/Cloud_SIEM_Enterprise": "/docs/cse", "/Cloud_SIEM_Enterprise/Administration": "/docs/cse/administration", "/Cloud_SIEM_Enterprise/Administration/Cloud_SIEM_Enterprise_Feature_Update_(2022)": "/docs/cse/administration", From 559b064686a7c78d4a528fe1aa61fd5ea2bd0f5c Mon Sep 17 00:00:00 2001 From: Amee Lepcha Date: Tue, 7 Oct 2025 21:27:44 +0530 Subject: [PATCH 3/3] changed the release date to avoid cnflicts --- blog-service/{2025-10-07-apps.md => 2025-10-08-apps.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename blog-service/{2025-10-07-apps.md => 2025-10-08-apps.md} (100%) diff --git a/blog-service/2025-10-07-apps.md b/blog-service/2025-10-08-apps.md similarity index 100% rename from blog-service/2025-10-07-apps.md rename to blog-service/2025-10-08-apps.md