This guide is the first step of a larger process to enable auto remediations. After completing the steps on this page, you will be instructed to return to the Enable an Auto Remediation in Workbench guide to finish your setup.

This guide helps you set up your VMware Carbon Black EDR device so that you can enable the Contain Hosts auto remediation in Workbench. During the setup process, you will grant Expel all necessary permissions for the remediation to work.

How It Works

If our SOC identifies a host that must be contained, Workbench completes the action automatically. You have the option to restrict these actions to specific hosts by configuring an allow or deny list (the hosts must first be added as context, and then the list can be configured in Workbench; see Step 2).

Quick Links

Setup includes the following steps (select any step for detailed instructions):

1. Allow Appropriate Permissions in Your EDR Console
2. Update Your Context
3. Return to the Main Setup Guide

Step 1: Allow Appropriate Permissions in Your EDR Console

Make sure you assign all API permissions in the Carbon Black EDR Setup for Workbench guide. The generic API access granted gives Expel permission for isolation.

Step 2: Update Your Context

If you do not want to specify any hosts for a "do not contain" or "always contain" list, and instead wish for Expel to automatically contain all identified hosts, skip to Step 3.

Working with your engagement manager, prepare to create an allow or deny list by adding hosts as context for your environment. You will then be able to select those hosts as "Never contain" or "Always contain" assets when you enable the auto remediation in Workbench. In this instance, the context update process is usually accomplished by sending us a .csv file.

Note

If our SOC identifies a host that must be contained and you have created either an allow ("Always contain") or deny ("Never contain") list in Workbench, any hosts falling outside of those parameters are assigned to you as actions rather than being contained automatically.

Step 3: Return to the Main Setup Guide

Your VMware Carbon Black EDR device is now ready for the Contain Hosts auto remediation. You should now do one of the following:

• If you do not need to set up any other devices for this auto remediation, you can return to the Enable an Auto Remediation in Workbench guide to finish Step 2 of the process.
• If you need to set up additional devices for this auto remediation, or wish to use this device with multiple auto remediations, be sure to complete those setup guides as well before returning to the Enable an Auto Remediation in Workbench guide to finish Step 2 of the process. Make sure to follow the setup guide that is specific to your auto remediation, as device setup instructions are unique to each auto remediation and device.