Carbon Black Inventory

blog-service/2025-10-08-apps.md

@@ -0,0 +1,12 @@
+---
+title: Carbon Black Inventory (Apps)
+image: https://help.sumologic.com/img/reuse/rss-image.jpg
+keywords:
+  - apps
+  - carbon-black-inventory
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+We're excited to introduce the new Sumo Logic app for Carbon Black Inventory. This app offers you enhanced capabilities to identify risks and configuration gaps in your environment. [Learn more](/docs/integrations/saas-cloud/carbon-black-inventory/).

cid-redirects.json

@@ -2943,6 +2943,7 @@
   "/cid/1108": "/docs/integrations/saas-cloud/trellix-mvision-epo",
   "/cid/1110": "/docs/integrations/microsoft-azure/azure-security-microsoft-defender-for-identity",
   "/docs/integrations/microsoft-azure/microsoft-defender-for-identity/": "/docs/integrations/microsoft-azure/azure-security-microsoft-defender-for-identity",
+  "/cid/1112": "/docs/integrations/saas-cloud/carbon-black-inventory/",  
   "/cid/1111": "/docs/integrations/microsoft-azure/azure-open-ai",
   "/Cloud_SIEM_Enterprise": "/docs/cse",
   "/Cloud_SIEM_Enterprise/Administration": "/docs/cse/administration",

docs/integrations/product-list/product-list-a-l.md

@@ -146,6 +146,7 @@ For descriptions of the different types of integrations Sumo Logic offers, see [
 |  <img src={useBaseUrl('img/integrations/databases/cassandra.png')} alt="Thumbnail icon" width="50"/>   | [Cassandra](https://cassandra.apache.org/)  | 	Apps: <br/>- [Cassandra](/docs/integrations/databases/cassandra/)	<br/>- [Cassandra - OpenTelemetry](/docs/integrations/databases/opentelemetry/cassandra-opentelemetry/) |
 |  <img src={useBaseUrl('img/integrations/misc/catchpoint-logo.png')} alt="Thumbnail icon" width="50"/>   | [Catchpoint](https://www.catchpoint.com/)  | 	Partner integration: [Catchpoint](https://github.com/catchpoint/Integrations.SumoLogic/blob/main/README.md)	 |
 |  <img src={useBaseUrl('img/send-data/cato-logo.png')} alt="Thumbnail icon" width="50"/>   | [Cato Networks](https://www.catonetworks.com/)  | 	App: [Cato Networks](/docs/integrations/saas-cloud/cato-networks/) <br/>Cloud SIEM integration: [Cato Networks](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/53e043b0-76e3-471a-84ec-0266a4f3b279.md) <br/>Collector: [Cato Networks Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cato-networks-source/) |
+|  <img src={useBaseUrl('img/integrations/security-threat-detection/vmcarecb.png')} alt="Thumbnail icon" width="50"/>   | Carbon Black Inventory  | 	App: [Carbon Black Inventory](/docs/integrations/saas-cloud/carbon-black-inventory/) <br/>Collector: [Carbon Black Inventory Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cato-networks-source/) |
 | <img src={useBaseUrl('img/platform-services/automation-service/app-central/logos/censys.png')} alt="Thumbnail icon" width="75"/> | [Censys](https://censys.com/) | Automation integrations: <br/>- [Censys](/docs/platform-services/automation-service/app-central/integrations/censys/) <br/>- [Censys V2](/docs/platform-services/automation-service/app-central/integrations/censys-v2/) |
 | <img src={useBaseUrl('img/platform-services/automation-service/app-central/logos/certego.png')} alt="Thumbnail icon" width="75"/>  | [Certego](https://www.certego.net/) | Automation integration: [Certego](/docs/platform-services/automation-service/app-central/integrations/certego/) |
 |  <img src={useBaseUrl('img/send-data/chatgpt-compliance.png')} alt="Thumbnail icon" width="50"/>   | [ChatGPT Compliance](https://chatgpt.com/)  | Collector: [ChatGPT Compliance Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/chatgpt-compliance-source) |

docs/integrations/saas-cloud/carbon-black-inventory.md

@@ -0,0 +1,137 @@
+---
+id: carbon-black-inventory
+title: Carbon Black Inventory
+sidebar_label: Carbon Black Inventory
+description: The Sumo Logic app for Carbon Black Inventory enables security analysts identify risks and configuration gaps to improve endpoint hygiene, faster response, and stronger overall security.
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<img src={useBaseUrl('img/integrations/security-threat-detection/vmcarecb.png')} alt="Carbon Black Inventory icon" width="90" />
+
+The Sumo Logic app for Carbon Black Inventory offers comprehensive visibility into endpoint assets and their security posture across your environment. By consolidating key device data, including total device counts, compliance status, antivirus and sensor health, and vulnerability levels, the app enables security teams to quickly identify at-risk endpoints and configuration gaps.
+
+Dedicated panels highlight quarantined devices, non-compliant endpoints, systems with passive or outdated sensors, and devices lacking recent antivirus scans, allowing you to efficiently monitor operational hygiene and security coverage. Visualizations by operating system, vulnerability severity, and geographic location provide valuable context for prioritizing patching and remediation.
+
+By surfacing high-priority issues, such as stale endpoints, disabled firewalls, or devices located in embargoed regions, alongside a complete inventory summary, the Sumo Logic app for Carbon Black Inventory helps you maintain strong endpoint hygiene, reduce risk exposure, and support compliance initiatives. This unified view empowers teams to respond faster, improve device management, and strengthen security across the IT environment.
+
+:::info
+This app includes [built-in monitors](#carbon-black-inventory-alerts). For details on creating custom monitors, refer to [Create monitors for Carbon Black Inventory app](#create-monitors-for-the-carbon-black-inventory-app).
+:::
+
+## Log types
+
+This app uses Sumo Logic’s [Carbon Black Inventory Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/carbon-black-inventory-source/) to collect device logs from the Carbon Black Inventory platform.
+
+## Sample log message
+
+<details>
+<summary>Device Log</summary>
+
+```json
+{
+    "id": 2008,
+    "name": "Device-NotReporting",
+    "os": "WINDOWS",
+    "os_version": "Windows 7",
+    "last_external_ip_address": "2.58.14.95",
+    "quarantined": false,
+    "compliance_status": "COMPLIANT",
+    "host_based_firewall_status": "ENABLED",
+    "av_status": [
+        "AV_ACTIVE"
+    ],
+    "sensor_pending_update": false,
+    "sensor_out_of_date": false,
+    "passive_mode": false,
+    "sensor_states": [
+        "LIVE_RESPONSE_NOT_RUNNING"
+    ],
+    "av_last_scan_time": "2025-09-25T19:11:38.742Z",
+    "vulnerability_score": 2.5,
+    "vulnerability_severity": "LOW",
+    "last_contact_time": "2025-09-25T19:11:38.742Z",
+    "last_reported_time": "2025-09-25T19:11:38.742Z",
+    "registered_time": "2025-09-25T19:11:38.742Z"
+}
+```
+</details>
+
+## Sample queries
+
+```sql title="Total Devices"
+_sourceCategory="Labs/CarbonBlackInventory"
+| json "id", "quarantined", "compliance_status", "host_based_firewall_status", "av_status", "sensor_pending_update", "os", "vulnerability_severity", "last_external_ip_address", "sensor_states", "passive_mode", "name", "sensor_out_of_date", "last_reported_time", "last_contact_time", "registered_time", "vulnerability_score", "os_version", "av_last_scan_time" as id, quarantined, compliance_status, host_based_firewall_status, av_status_list, sensor_pending_update, os, vulnerability_severity, last_external_ip_address, sensor_states_list, passive_mode, name, sensor_out_of_date, last_reported_time, last_contact_time, registered_time, vulnerability_score, os_version, av_last_scan_time nodrop
+
+| where os matches "*"
+| where vulnerability_severity matches "*"
+
+| count by id 
+| count
+```
+
+## Collection configuration and app installation
+
+import CollectionConfiguration from '../../reuse/apps/collection-configuration.md';
+
+<CollectionConfiguration/>
+
+:::important
+Use the [Cloud-to-Cloud Integration for Carbon Black Inventory](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/carbon-black-inventory-source/) to create the source and use the same source category while installing the app. By following these steps, you can ensure that your Carbon Black Inventory app is properly integrated and configured to collect and analyze your Carbon Black Inventory data.
+:::
+
+### Create a new collector and install the app
+
+import AppCollectionOPtion1 from '../../reuse/apps/app-collection-option-1.md';
+
+<AppCollectionOPtion1/>
+
+### Use an existing collector and install the app
+
+import AppCollectionOPtion2 from '../../reuse/apps/app-collection-option-2.md';
+
+<AppCollectionOPtion2/>
+
+### Use an existing source and install the app
+
+import AppCollectionOPtion3 from '../../reuse/apps/app-collection-option-3.md';
+
+<AppCollectionOPtion3/>
+
+## Viewing the Carbon Black Inventory dashboards​​
+
+import ViewDashboards from '../../reuse/apps/view-dashboards.md';
+
+<ViewDashboards/>
+
+### Overview
+
+The **Carbon Black Inventory – Overview** dashboard offers a comprehensive snapshot of endpoint assets and their security posture. It highlights key metrics such as total device count, quarantined systems, compliance issues, and devices with outdated scans or disabled protections. The dashboard also provides visibility into inactive or outdated sensors, non-reporting endpoints, and pending sensor updates, along with breakdowns by operating system, vulnerability severity, and geographic location. By consolidating these insights into a unified view, it enables security teams to quickly identify at-risk devices, maintain compliance, and prioritize remediation efforts to improve endpoint hygiene and reduce organizational risk.<br/><img src='https://sumologic-app-data-v2.s3.us-east-1.amazonaws.com/dashboards/carbon-black-inventory/Carbon+Black+Inventory+-+Overview.png' alt="Carbon-Black-Inventory-Overview-Dashboard" />
+
+## Create monitors for the Carbon Black Inventory app
+
+import CreateMonitors from '../../reuse/apps/create-monitors.md';
+
+<CreateMonitors/>
+
+### Carbon Black Inventory alerts
+
+| Name | Description | Trigger Type (Critical / Warning / MissingData) | Alert Condition | 
+|:--|:--|:--|:--|
+| `Carbon Black Inventory – Devices from Embargoed Locations` | This alert is triggered when one or more endpoints report external IP addresses associated with embargoed or restricted geographies. This helps ensure compliance with corporate and regulatory security requirements. | Critical | Count > 0 |
+| `Carbon Black Inventory – Firewall Disabled Devices` | This alert is triggered when an endpoint's host-based firewall protection is disabled, increasing exposure to network-based attacks and lateral movement. | Critical | Count > 0|
+| `Carbon Black Inventory – Endpoints Not Reporting` | This alert is triggered when a device has not communicated with Carbon Black for more than 7 days, potentially indicating an unmanaged, offline, or compromised endpoint. | Critical | Count > 0|
+| `Carbon Black Inventory – Outdated or Inactive Sensors` | This alert is triggered when endpoints are running outdated sensors or have inactive sensor states, which may reduce visibility and impair policy enforcement. | Critical | Count > 0|
+| `Carbon Black Inventory – High Vulnerability Devices` | This alert is triggered when endpoints report high or critical vulnerability scores, highlighting an elevated risk of exploitation and the need for prioritized patching. | Critical | Count > 0|
+
+## Upgrading/Downgrading the Carbon Black Inventory app (Optional)
+
+import AppUpdate from '../../reuse/apps/app-update.md';
+
+<AppUpdate/>
+
+## Uninstalling the Carbon Black Inventory app (Optional)
+
+import AppUninstall from '../../reuse/apps/app-uninstall.md';
+
+<AppUninstall/>

docs/integrations/saas-cloud/index.md

@@ -93,6 +93,12 @@ Learn about the Sumo Logic apps for SaaS and Cloud applications.
   <p>Gain insight into user behavior patterns and resources.</p>
   </div>
 </div>
+<div className="box smallbox card">
+  <div className="container">
+  <a href="/docs/integrations/saas-cloud/carbon-black-inventory"><img src={useBaseUrl('img/integrations/security-threat-detection/vmcarecb.png')} alt="icon" width="80"/><h4>Carbon Black Inventory</h4></a>
+  <p>Gain insight into endpoint assets and their security status in your environment.</p>
+  </div>
+</div>
 <div className="box smallbox card">
   <div className="container">
   <a href="/docs/integrations/saas-cloud/cato-networks"><img src={useBaseUrl('/img/send-data/cato-logo.png')} alt="icon" width="80"/><h4>Cato Networks</h4></a>

sidebars.ts

@@ -2554,6 +2554,7 @@ integrations: [
           'integrations/saas-cloud/aws-iam-users',
           'integrations/saas-cloud/bitwarden',
           'integrations/saas-cloud/box',
+          'integrations/saas-cloud/carbon-black-inventory',
           'integrations/saas-cloud/cato-networks',
           'integrations/saas-cloud/cisco-amp',
           'integrations/saas-cloud/cisco-meraki-c2c',