Skip to main content
 

Tip

This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!

Step 1: Enable console access

This procedure creates a user account for Expel that keeps the Expel activity separate from other activity on the VMware Carbon Black Cloud console.

Create an analyst account

  1. Navigate to gear icon on left side and click Users. Then click Add User on the top right of the screen.

    Screen Shot 2021-03-05 at 8.30.39 AM.png
  2. For First name type Expel.

    Screen Shot 2021-03-05 at 8.31.15 AM.png
    • For Last name type SOC.

    • For Email: soc+<Your_Organization_Name>@expel.io.

      Tip

      Yes, the "+" sign is part of the email address (as in soc+megacorp@expel.io) and it's important. Click here to find out why.

    • For Role select Level 2 Analyst.

Step 2: Generate API credentials

Generate an API Key with view all permissions

  1. In the VMware Carbon Black Cloud console, navigate to Settings > Roles.

  2. Navigate to Settings > API Keys.

  3. Create a new API key by selecting Add API Key in the upper right corner.

    Screen Shot 2021-03-05 at 8.34.41 AM.png
  4. Type a name for the new key. We suggest Expel SOC.

    Screen Shot 2021-03-05 at 8.35.13 AM.png
  5. From the Access Level list, select Custom.

  6. From the Custom Access Level list, select either the View All role or the role you created above.

    Screen Shot 2021-03-05 at 8.35.45 AM.png
  7. Complete the rest of the information and click Save to create the new key.

  8. Make a record of the API ID and API Secret Key for later.

Step 3: Configure the technology in Workbench

  1. In a new browser tab, login to https://workbench.expel.io/settings/security-devices?setupIntegration=carbon_black_threat_hunter.

  2. Type these details:

    mceclip2.png
    • For Name type the host name of the device.

    • For Location type the geographic location of the appliance.

    • For Org Key, type the Org Key.

    • For Org ID, type your CB Organization ID.

    • For Server Address, type the VMware Carbon Black Cloud server address, usually https://defense-prod05. conferdeploy.net/

    • For API ID, type the API ID created in Step 2.

    • For API Key, type the API Secret Key created in Step 2.

CB ThreatHunter, CB Defense