This article explains how to connect VMware Carbon Black EDR to Workbench.

VMware Carbon Black EDR was formerly called Carbon Black Response.

In this article

Step 1: Enable console access

This procedure creates a user account for Expel that keeps the Expel activity separate from other activity on the VMware Carbon Black EDR console.

Note
Expel secures all login information our SOC analysts need about your devices in an MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.

Create an admin account

  1. Navigate to the Users icon on the left and click +Add User.

    • For Username, type expel.

    • For First Name, type Expel.

    • For Last Name, type User.

    • For Email Address, type soc@expel.io.

    • Type a Password.

    • Assign to: Administrators.

    • Select Global administrator. Global administrator is required to perform the necessary functions within VMware Carbon Black EDR for pulling process listings, and so on.

Verify VMware Carbon Black Live EDR is enabled

This step allows Expel to interact with your endpoints, for example, pull process listings, and so on.

  1. Click on the Sensors icon on the left side panel and click any host name.

  2. In the upper right corner, the button Go Live is active if VMware Carbon Black Live EDR is enabled. If it's active, you are DONE!

  3. If VMware Carbon Black Live EDR isn't enabled and is hosted on-prem:

    • SSH into the CB appliance and perform the command vi /etc/cb/cb.conf.

    • Search for CbLREnabled=False and change the value from False to True.

    • Restart services for the change to take effect: service cb-enterprise restart.

  4. If VMware Carbon Black Live EDR is not enabled and cloud-hosted:

    • Submit a request to the Carbon Black Cloud Support team requesting this feature be enabled. You can simply send the request with the following: “Please enable Live EDR and VDI Behavior”.

Step 2: Generate API credentials

This step creates an authentication token that allows the Expel Assembler to access the VMware Carbon Black EDR API.

Obtain the API key for the Expel account

  1. Log out of the VMware Carbon Black EDR Console.

  2. Log back into the VMware Carbon Black EDR Console as the newly-created Expel User.

  3. Click Expel User on the upper right, then My Profile, then API Token.

  4. Make note of the API token. It's used next for registration within Workbench.

Step 3: Enable threat feeds

Expel recommends enabling the following Carbon Black threat feeds at a minimum:

  • + CB Advanced Threat

  • + CB Community

  • + CB Suspicious Feed

  • + CB Tamper Detection

  • + CB Early Access

  • + SANS Feed

  • + Expel (this feed is added and enabled by Expel)

  1. Navigate to the Threat Intelligence icon.

  2. Select Enable and the Create Alert options for each of the feeds.

Step 4: Configure the technology in Workbench

  1. Log in to https://workbench.expel.io/settings/security-devices?setupIntegration=carbon_black.

  2. Enter the following information:

    • Select Cloud or On-Prem (on premises) installation.

    • For On-Prem installations only, select an Assembler from the list. Select the assembler you set up in Getting connected to Expel Workbench.

    • For Name, type the hostname of the VMware Carbon Black EDR device.

    • For Location, type the geographic location of the appliance.

    • For Server address, type the VMware Carbon Black EDR device IP or hostname in the following format: https://10.0.0.10 or https://mycbraddress.com

    • For API key, type the API generated in Step 2.

  3. Click Save.
  4. You can provide console access now or set it up later. Use the instructions below to set it up later.

Step 5: Edit the device to add console access

Expel needs console access to your device to allow our SOC analysts to dig deeper during incident investigations. Additionally, our engineering teams use this access to investigate potential health issues, including proper alert ingestion.

Note
Expel secures all login information our SOC analysts need about your devices in an MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.

  1. Open Workbench. Go to Organization Settings > Security Devices. Next to the device you just connected, click the down arrow and click Edit.

  2. In the Console Login area, type these details:

    • Console URL: type the console URL from the Server address in the Connection Settings area above. At the end of the URL, type /login.

    • Username: type the user name you created above.

    • Password: type the password you created above.

    • Two-factor secret key (32-character code): depending on how your organization enforces log-ins, this field may not apply to you. In these cases, you can leave it blank. This field is optional and if you have questions or concerns, reach out to your engagement manager or to support.