1. Expel Support Center
  2. Connect your technology
  3. Endpoint integrations

VMware Carbon Black Endpoint Standard setup for Workbench

  • Updated

This article explains how to connect VMware Carbon Black Endpoint Standard to Workbench.

In this article

Step 1: Enable console access

This procedure creates a user account for Expel that keeps the Expel activity separate from other activity on the VMware Carbon Black Endpoint Standard console.

Having read-only access to the interface of your technology allows Expel to dig deeper during incident investigations. Our device health team uses this access to investigate potential health issues with your tech.

Note

Expel secures all login information our SOC analysts need about your devices in a MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.

  1. Navigate to gear icon on left side and click Users. Then click Add User on the top right of the screen.

  2. For First name type Expel.

    • For Last name type SOC.

    • For Email: soc+<Your_Organization_Name>@expel.io.

      Tip

      Yes, the "+" sign is part of the email address, and it's important. Click here to find out why.

    • For Role select Level 2 Analyst.

    • Click Save.

Step 2: Generate API credentials and SIEM access

To integrate the technology with Workbench, we need to create secure credentials to the API.

This procedure creates an authentication token that allows the Expel Assembler to access the VMware Carbon Black Endpoint Standard API and SIEM.

Obtain the API and SIEM key for the Expel account

  1. Navigate to gear icon on left side and click Users. Then click Add User on the top right of the screen.

  2. For Name type Expel.

    • For Access Level select API.

    • For Authorized IP address, type the IP address of the externally facing IP of the Expel Assembler. If you're unsure, the following code can be run on the Assembler to list the current IP: curl -s http://ipchicken.com | egrep -o ‘([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}’

    • Click Save.

  3. For SIEM access, follow the same steps above and select SIEM for Access level.

  4. Make note of the API, SIEM API, and API IDs for each. These are used in Step 3 for registration within Workbench.

Subscribe to notifications

  1. Navigate to the gear icon on the left side, click Notifications, then click ADD NOTIFICATION.

  2. For Name type Expel Threat.

  3. For Notify when select Threat and select Alert priority 3.

  4. For Policy select All Policies.

  5. Click in Search for API field and search for the SIEM API Key created for Expel in Obtain the API and SIEM key for the Expel account.

  6. Click Save.

Step 3: Configure the technology in Workbench

Now that we have the correct access configured and noted the credentials, we can integrate your tech with Workbench.

  1. In a new browser tab, login to https://workbench.expel.io.

  2. On the console page, navigate to Settings and click Security Devices.

  3. At the upper right of the page, select Add Security Device.

  4. Search for and select VMware Carbon Black Endpoint Standard.

  5. Complete all fields using the credentials and information you collected in Step 1 and Step 2.

    Screen Shot 2021-03-30 at 7.49.42 AM.png

  6. Select an Assembler from the list. Select the assembler you set up in Getting connected to Expel Workbench.

  7. Type Assembler Name and Location. For example: VMware Carbon Black Endpoint Standard and Expel Lab.

    Screen Shot 2021-03-30 at 7.50.15 AM.png

    • For Server address type the URL for the VMware Carbon Black Endpoint Standard server, including the port.

    • For SIEM key, type the SIEM API Key generated in Step 2.

    • For API connect, type API ID generated in Step 2.

    • For SIEM connect, type the SIEM API ID generated in Step 2.

    • For API key type the API generated in Step 2.

    • Username and Password fields are optional and can be left blank.

  8. Click Save.

You can see if the device is healthy on the Security Devices page. It may take a few minutes to see the device listed as healthy.

To check if alerts are coming through, navigate to the Alerts Analysis page. Scroll to the device you want to check and click View alerts. Switch to grid view, then check the list for device alerts. It can take 36 to 72 hours for alerts to appear after setup, as we tune your device.

Tip

This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!

  • Was this article helpful?

  • 0 out of 0 found this helpful

Related articles