Why D3 Smart SOAR is the Best SOAR for Carbon Black

Carbon Black is a powerful endpoint protection platform, offering advanced threat hunting and incident response capabilities. When integrated with D3 Smart SOAR, it can further enhance your organization’s security posture by automating the incident response process, reducing the time it takes to address threats, and minimizing the impact on your business. In this blog post, we will explore how Carbon Black can be used within D3 Smart SOAR to streamline incident response workflows and provide comprehensive protection against cyber threats.

Typically, the Carbon Black integration is used alongside a SIEM, IAM, NDR, and OSINT tool to complement gaps that might be in the original alert and in Carbon Black’s database. The example below uses Carbon Black by itself to show the possibilities around automated incident response with D3 Smart SOAR.

The Alert

This example uses a registry modification alert generated by Carbon Black. The event data contains the hostname, process GUID, process hash, process name, and the user. To investigate this further, we’ll need more information on the device and process.
A registry modification alert generated by Carbon Black presented in D3 Smart SOAR

The Playbook

This incident playbook has three main stages: correlation, enrichment, and remediation. The correlation stage searches Carbon Black’s database to pull in other alerts related to the device or process. Users can also search their SIEM or NDR for similar alerts if those tools are connected. Similarly, they can search Smart SOAR’s incident and event databases for related events that other tools may not have linked.

A Carbon Black Smart SOAR incident playbook

The enrichment stage pulls in additional information on the device and process. The Get Device Information command returns important information about the device, such as its vulnerability rating, registration status, and policies.

Get Device Info

Smart SOAR: Get Device Information

Once the enrichment and correlation stages are complete, the playbook starts a scan on the affected device and gives the analyst the option to quarantine it. The total runtime for this playbook is 14 seconds.

Vulnerability Scans

Vulnerability scan workflow in Smart SOAR


In Smart SOAR, users don’t have to wait for a security alert to trigger a playbook. They can use our scheduled automation feature to run playbooks in the background, independent of the events and alerts ingested into the platform. This capability enables users to automatically initiate background scans on target machines via Carbon Black’s API.

Smart SOAR's scheduled automation feature


Integrating Carbon Black with D3 Smart SOAR offers organizations an efficient and powerful solution for automating incident response workflows. By leveraging the capabilities of Carbon Black and Smart SOAR, security teams can effectively correlate, enrich, and remediate incidents in a matter of seconds, significantly reducing the time to respond to threats. Moreover, the scheduled automation feature in Smart SOAR allows for proactive security measures, further enhancing an organization’s defense against cyberattacks.

Social Icon
Pierre Noujeim

Pierre Noujeim is a Product Marketing Manager with a cyber security engineering background. Having implemented SOAR at enterprise organizations as well as for D3's MSSP partners, Pierre has rich and varied insight into integrations, use cases and the cyber security vendor landscape. A dedicated product marketer, Pierre represents D3 at analyst briefings, webinar workshops and industry conferences such as RSA and Black Hat.