Tip
This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!
VMWare VMware Carbon Black EDR was formerly called Carbon Black Response.
Step 1: Enable console access
This procedure creates a user account for Expel that keeps the Expel activity separate from other activity on the VMware Carbon Black EDR console.
Create an admin account
-
Navigate to the Users icon on left and click +Add User.
-
For Username type expel.
-
For First Name type Expel.
-
For Last Name type User.
-
For Email Address type soc@expel.io.
-
Type a Password.
-
Assign to: Administrators.
-
Select Global administrator. Global administrator is required to perform the necessary functions within VMware Carbon Black EDR for pulling process listings, and so on.
-
-
Click Save Changes.
Verify VMware Carbon Black Live EDR is enabled
This step allows Expel to interact with your endpoints, for example, pull process listings, and so on.
-
Click on the Sensors icon on the left side panel and click any host name.
-
In the upper right corner, the button Go Live is active if VMware Carbon Black Live EDR is enabled. If it's active, you are DONE!
-
If VMware Carbon Black Live EDR isn't enabled and is hosted on-prem:
-
SSH into the CB appliance and perform the command
vi /etc/cb/cb.conf
. -
Search for
CbLREnabled=False
and change the value from False to True. -
Restart services for the change to take effect:
service cb-enterprise restart
.
-
-
If VMware Carbon Black Live EDR is not enabled and cloud-hosted:
-
Submit a request to the Carbon Black Cloud Support team requesting this feature be enabled. You can simply send the request with the following: “Please enable Live EDR and VDI Behavior”.
-
Step 2: Generate API credentials
This step creates an authentication token that allows the Expel Assembler to access the VMware Carbon Black EDR API.
Obtain the API key for the Expel account
-
Log out of the VMware Carbon Black EDR Console.
-
Log back into the VMware Carbon Black EDR Console as the newly-created Expel User.
-
Click Expel User on the upper right, then My Profile, then API Token.
-
Make note of the API token. It's used next for registration within Workbench.
Step 3: Enable threat feeds
Expel recommends enabling the following Carbon Black threat feeds at a minimum:
-
+ CB Advanced Threat
-
+ CB Community
-
+ CB Suspicious Feed
-
+ CB Tamper Detection
-
+ CB Early Access
-
+ SANS Feed
-
+ Expel (this feed is added and enabled by Expel)
-
Navigate to the Threat Intelligence icon.
-
Select Enable and the Create Alert options for each of the feeds.
Step 4: Configure the technology in Workbench
-
Login to https://workbench.expel.io/settings/security-devices?setupIntegration=carbon_black.
-
Enter the following information:
-
Select Cloud or On-Prem (on premises) installation.
-
For On-Prem installations only, select an Assembler from the list. Select the assembler you set up in Getting connected to Expel Workbench.
-
For Name type the hostname of the VMware Carbon Black EDR device.
-
For Location type the geographic location of the appliance.
-
For Server address type the VMware Carbon Black EDR device IP or hostname in the following format:
https://10.0.0.10 or https://mycbraddress.com
-
For API key type the API generated in Step 2.
-
-
You can provide console access now or set it up later. Use the instructions below to set it up later.
Comments
0 comments
Please sign in to leave a comment.