This article explains how to connect VMware Carbon Black EDR to Workbench.

VMWare VMware Carbon Black EDR was formerly called Carbon Black Response.

Step 1: Enable console access

This procedure creates a user account for Expel that keeps the Expel activity separate from other activity on the VMware Carbon Black EDR console.

Note

Expel secures all login information our SOC analysts need about your devices in a MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.

Create an admin account

  1. Navigate to the Users icon on left and click +Add User.

    • For Username type expel.

    • For First Name type Expel.

    • For Last Name type User.

    • For Email Address type soc@expel.io.

    • Type a Password.

    • Assign to: Administrators.

    • Select Global administrator. Global administrator is required to perform the necessary functions within VMware Carbon Black EDR for pulling process listings, and so on.

Verify VMware Carbon Black Live EDR is enabled

This step allows Expel to interact with your endpoints, for example, pull process listings, and so on.

  1. Click on the Sensors icon on the left side panel and click any host name.

  2. In the upper right corner, the button Go Live is active if VMware Carbon Black Live EDR is enabled. If it's active, you are DONE!

  3. If VMware Carbon Black Live EDR isn't enabled and is hosted on-prem:

    • SSH into the CB appliance and perform the command vi /etc/cb/cb.conf.

    • Search for CbLREnabled=False and change the value from False to True.

    • Restart services for the change to take effect: service cb-enterprise restart.

  4. If VMware Carbon Black Live EDR is not enabled and cloud-hosted:

    • Submit a request to the Carbon Black Cloud Support team requesting this feature be enabled. You can simply send the request with the following: “Please enable Live EDR and VDI Behavior”.

Step 2: Generate API credentials

This step creates an authentication token that allows the Expel Assembler to access the VMware Carbon Black EDR API.

Obtain the API key for the Expel account

  1. Log out of the VMware Carbon Black EDR Console.

  2. Log back into the VMware Carbon Black EDR Console as the newly-created Expel User.

  3. Click Expel User on the upper right, then My Profile, then API Token.

  4. Make note of the API token. It's used next for registration within Workbench.

Step 3: Enable threat feeds

Expel recommends enabling the following Carbon Black threat feeds at a minimum:

  • + CB Advanced Threat

  • + CB Community

  • + CB Suspicious Feed

  • + CB Tamper Detection

  • + CB Early Access

  • + SANS Feed

  • + Expel (this feed is added and enabled by Expel)

  1. Navigate to the Threat Intelligence icon.

  2. Select Enable and the Create Alert options for each of the feeds.

Step 4: Configure the technology in Workbench

  1. Login to https://workbench.expel.io/settings/security-devices?setupIntegration=carbon_black.

  2. Enter the following information:

    mceclip0.png
    • Select Cloud or On-Prem (on premises) installation.

    • For On-Prem installations only, select an Assembler from the list. Select the assembler you set up in Getting connected to Expel Workbench.

    • For Name type the hostname of the VMware Carbon Black EDR device.

    • For Location type the geographic location of the appliance.

    • For Server address type the VMware Carbon Black EDR device IP or hostname in the following format: https://10.0.0.10 or https://mycbraddress.com

    • For API key type the API generated in Step 2.

  3. You can provide console access now or set it up later. Use the instructions below to set it up later.

Tip

This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!