Note: VMware Carbon Black EDR was formerly called Carbon Black Response.
Step 1: Enable console access
Having read-only access to the interface of your technology allows Expel to dig deeper when performing incident investigations. Our device health team uses this access to investigate potential health issues with your tech.
This procedure creates a user account for Expel that keeps the Expel activity separate from other activity on the Carbon Black EDR console.
Create an admin account
- Navigate to the Users icon on left and click +Add User.
- For Username type expel.
- For First Name type Expel.
- For Last Name type User.
- For Email Address type email@example.com.
- Type a Password.
- Assign to: Administrators.
- Select Global administrator. Global administrator is required to perform the necessary functions within Carbon Black EDR for pulling process listings, and so on.
- Click Save Changes.
Verify Carbon Black Live EDR is enabled
This step allows Expel to interact with your endpoints, for example, pull process listings, and so on.
- Click on the Sensors icon on the left side panel and click any host name.
- In the upper right corner, the button Go Live is active if Carbon Black Live EDR is enabled. If it's active, you are DONE!
- If Carbon Black Live EDR isn't enabled and is hosted on-prem:
- SSH into the CB appliance and perform the command “vi /etc/cb/cb.conf”.
- Search for “CbLREnabled=False” and change the value from False to True.
- Restart services for the change to take effect: “service cb-enterprise restart”.
- If Carbon Black Live EDR is not enabled and cloud-hosted:
- Submit a request to the Carbon Black Cloud Support team requesting this feature be enabled. You can simply send the request with the following: “Please enable Live EDR and VDI Behavior”.
Step 2: Generate API credentials
To integrate the technology with Expel, we need to create secure credentials to the API. Depending on the permissions allowed in Step 1, Expel may be able to generate API credentials. If you're unsure, reach out to your Expel Customer Success Engineer, or email firstname.lastname@example.org.
This step creates an authentication token that allows the Expel Assembler to access the Carbon Black EDR API.
Obtain the API Key for the Expel account
- Log out of the Carbon Black EDR Console.
- Log back into the Carbon Black EDR Console as the newly-created Expel User.
- Click Expel User on the upper right, then My Profile, then API Token.
- Make note of the API token which is used next for registration within Expel Workbench.
Step 3: Enable threat feeds
Expel recommends the following Carbon Black threat feeds be enabled at a minimum:
- + CB Advanced Threat
- + CB Community
- + CB Suspicious Feed
- + CB Tamper Detection
- + CB Early Access
- + SANS Feed
- + Expel (this feed is added and enabled by Expel)
- Navigate to the Threat Intelligence icon.
- Select Enable and the Create Alert options for each of the feeds.
Step 4: Configure the technology in Workbench
Now that we have the correct access configured and noted the credentials, we can integrate Carbon Black EDR with Expel.
Register device in Expel Workbench
- Login to https://workbench.expel.io/settings/security-devices?setupIntegration=carbon_black.
- Enter the following information:
- Select Cloud or On-Prem (on premises) installation.
- For On-Prem installations only, select an Assembler from the list. Select the assembler you set up in Step 2 of the Getting Started with Expel guide.
- For Name enter the hostname of the Carbon Black EDR device.
- For Location enter the geographic location of the appliance.
- For Server address enter the Carbon Black EDR device IP or hostname in the following format: https://10.0.0.10 or https://mycbraddress.com
- For API key enter the API generated in Step 2.
- Under Console Login (Optional), Username and Password fields can be left blank, or can be filled in with the username and password created in Step 1.
- Click Save.
After a few minutes, refresh the Security Devices page and you see your device status reporting as Healthy, or if there is an issue, you see details of what the issue may be.
To check if alerts are coming through, navigate to Alerts on the console page. Click the icon in the upper right to switch to grid view, then check the list for device alerts.