Tip
This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!
VMWare Carbon Black EDR was formerly called Carbon Black Response.
Step 1: Enable console access
This procedure creates a user account for Expel that keeps the Expel activity separate from other activity on the Carbon Black EDR console.
Create an admin account
-
Navigate to the Users icon on left and click +Add User.
-
For Username type expel.
-
For First Name type Expel.
-
For Last Name type User.
-
For Email Address type soc@expel.io.
-
Type a Password.
-
Assign to: Administrators.
-
Select Global administrator. Global administrator is required to perform the necessary functions within Carbon Black EDR for pulling process listings, and so on.
-
-
Click Save Changes.
Verify Carbon Black Live EDR is enabled
This step allows Expel to interact with your endpoints, for example, pull process listings, and so on.
-
Click on the Sensors icon on the left side panel and click any host name.
-
In the upper right corner, the button Go Live is active if Carbon Black Live EDR is enabled. If it's active, you are DONE!
-
If Carbon Black Live EDR isn't enabled and is hosted on-prem:
-
SSH into the CB appliance and perform the command
vi /etc/cb/cb.conf. -
Search for
CbLREnabled=Falseand change the value from False to True. -
Restart services for the change to take effect:
service cb-enterprise restart.
-
-
If Carbon Black Live EDR is not enabled and cloud-hosted:
-
Submit a request to the Carbon Black Cloud Support team requesting this feature be enabled. You can simply send the request with the following: “Please enable Live EDR and VDI Behavior”.
-
Step 2: Generate API credentials
This step creates an authentication token that allows the Expel Assembler to access the Carbon Black EDR API.
Obtain the API key for the Expel account
-
Log out of the Carbon Black EDR Console.
-
Log back into the Carbon Black EDR Console as the newly-created Expel User.
-
Click Expel User on the upper right, then My Profile, then API Token.
-
Make note of the API token. It is used next for registration within Workbench.
Step 3: Enable threat feeds
Expel recommends enabling the following Carbon Black threat feeds at a minimum:
-
+ CB Advanced Threat
-
+ CB Community
-
+ CB Suspicious Feed
-
+ CB Tamper Detection
-
+ CB Early Access
-
+ SANS Feed
-
+ Expel (this feed is added and enabled by Expel)
-
Navigate to the Threat Intelligence icon.
-
Select Enable and the Create Alert options for each of the feeds.
Step 4: Configure the technology in Workbench
Now that we have the correct access configured and noted the credentials, we can integrate Carbon Black EDR with Workbench.
-
Login to https://workbench.expel.io/settings/security-devices?setupIntegration=carbon_black.
-
Enter the following information:
-
Select Cloud or On-Prem (on premises) installation.
-
For On-Prem installations only, select an Assembler from the list. Select the assembler you set up in Getting Connected to Expel Workbench.
-
For Name type the hostname of the Carbon Black EDR device.
-
For Location type the geographic location of the appliance.
-
For Server address type the Carbon Black EDR device IP or hostname in the following format:
https://10.0.0.10 or https://mycbraddress.com -
For API key type the API generated in Step 2.
-
Under Console Login (Optional), Username and Password fields can be left blank, or can be filled in with the username and password created in Step 1.
-
Comments
0 comments
Please sign in to leave a comment.