Skip to main content

Carbon Black EDR getting started guide

Sharon Burton
  • Updated

Note: VMware Carbon Black EDR was formerly called Carbon Black Response.

Step 1: Enable console access

Having read-only access to the interface of your technology allows Expel to dig deeper when performing incident investigations. Our device health team uses this access to investigate potential health issues with your tech.

This procedure creates a user account for Expel that keeps the Expel activity separate from other activity on the Carbon Black EDR console.

Create an admin account

  1. Navigate to the Users icon on left and click +Add User.
    Screen Shot 2021-03-05 at 8.22.19 AM.png
      • For Username type expel.
      • For First Name type Expel.
      • For Last Name type User.
      • For Email Address type soc@expel.io.
      • Type a Password.
      • Assign to: Administrators.
      • Select Global administrator. Global administrator is required to perform the necessary functions within Carbon Black EDR for pulling process listings, and so on.
  2. Click Save Changes.
    Screen Shot 2021-03-05 at 8.22.57 AM.png

Verify Carbon Black Live EDR is enabled

This step allows Expel to interact with your endpoints, for example, pull process listings, and so on. 

  1. Click on the Sensors icon on the left side panel and click any host name.
    Screen Shot 2021-03-05 at 8.23.31 AM.png
  2. In the upper right corner, the button Go Live is active if Carbon Black Live EDR is enabled. If it's active, you are DONE!
  3. If Carbon Black Live EDR isn't enabled and is hosted on-prem:
      • SSH into the CB appliance and perform the command “vi /etc/cb/cb.conf”.
      • Search for “CbLREnabled=False” and change the value from False to True.
      • Restart services for the change to take effect: “service cb-enterprise restart”.
  4. If Carbon Black Live EDR is not enabled and cloud-hosted:
    • Submit a request to the Carbon Black Cloud Support team requesting this feature be enabled.  You can simply send the request with the following: “Please enable Live EDR and VDI Behavior”.

Step 2: Generate API credentials

To integrate the technology with Expel, we need to create secure credentials to the API. Depending on the permissions allowed in Step 1, Expel may be able to generate API credentials. If you're unsure, reach out to your Expel Customer Success Engineer, or email customerhealth@expel.io.

This step creates an authentication token that allows the Expel Assembler to access the Carbon Black EDR API.

Obtain the API Key for the Expel account

  1. Log out of the Carbon Black EDR Console.
  2. Log back into the Carbon Black EDR Console as the newly-created Expel User.
  3. Click Expel User on the upper right, then My Profile, then API Token.
    Screen Shot 2021-03-05 at 8.24.08 AM.png
  4. Make note of the API token which is used next for registration within Expel Workbench.

Step 3: Enable threat feeds

Expel recommends the following Carbon Black threat feeds be enabled at a minimum:

  • + CB Advanced Threat
  • + CB Community
  • + CB Suspicious Feed
  • + CB Tamper Detection
  • + CB Early Access
  • + SANS Feed
  • + Expel (this feed is added and enabled by Expel)
  1. Navigate to the Threat Intelligence icon.
  2. Select Enable and the Create Alert options for each of the feeds. Screen Shot 2021-03-05 at 8.24.38 AM.png

 

Step 4: Configure the technology in Workbench

Now that we have the correct access configured and noted the credentials, we can integrate Carbon Black EDR with Expel.  

Register device in Expel Workbench

  1. Login to https://workbench.expel.io/settings/security-devices?setupIntegration=carbon_black
  2. Enter the following information: 
    mceclip0.png
      • Select Cloud or On-Prem (on premises) installation.
      • For On-Prem installations only, select an Assembler from the list. Select the assembler you set up in Step 2 of the Getting Started with Expel guide.
      • For Name enter the hostname of the Carbon Black EDR device.  
      • For Location enter the geographic location of the appliance.
      • For Server address enter the Carbon Black EDR device IP or hostname in the following format: https://10.0.0.10 or https://mycbraddress.com  
      • For API key enter the API generated in Step 2.
      • Under Console Login (Optional), Username and Password fields can be left blank, or can be filled in with the username and password created in Step 1.
  3. Click Save.

After a few minutes, refresh the Security Devices page and you see your device status reporting as Healthy, or if there is an issue, you see details of what the issue may be.

To check if alerts are coming through, navigate to Alerts on the console page. Click the icon in the upper right to switch to grid view, then check the list for device alerts.

Related articles

Comments

0 comments

Please sign in to leave a comment.