]

Solution

  • Workspace ONE

Type

  • Document

Level

  • Intermediate

Category

  • Operational Tutorial

Product

  • Carbon Black Cloud
  • Workspace ONE UEM

Phase

  • Manage

Integrating Workspace ONE Intelligence and VMware Carbon Black: VMware Workspace ONE Operational Tutorial

Overview

Introduction

VMware provides this operational tutorial to help you with your VMware Workspace ONE® environment. VMware Workspace ONE® Intelligence™ is designed to simplify user experience without compromising security. The intelligence service aggregates and correlates data from multiple sources to give you complete visibility into the entire environment, including automated workflow process leveraging the Automation engine to take actions against the devices managed by Workspace ONE UEM and integrated actions with third-party tools.

The VMware Carbon Black Cloud™ is a cloud-native endpoint protection platform (EPP) that combines the intelligent system hardening and behavioral prevention needed to keep emerging threats at bay, using a single lightweight agent and an easy-to-use console.

In today’s environment, merely blocking known malware is obsolete. Cybercriminals continually learn how to obscure their actions amid the ever-growing activity within your organization. Polymorphic ransomware and file-less attacks are growing in prevalence, so legacy approaches to prevention leave you vulnerable.

In this tutorial, learn how to configure the integration between Workspace ONE Intelligence and VMware Carbon Black to obtain threat insights and extend threat remediation with the Workspace ONE Intelligence Automation engine.

Watch the Workspace ONE Intelligence and VMware Carbon Black: Automating Device Quarantine -Technical Overview video which discusses all the steps you will go through in this tutorial.

Audience

This operational tutorial is intended for IT security professionals and Workspace ONE administrators of existing production environments. Familiarity with Workspace ONE Intelligence, Workspace ONE UEM, VMware Carbon Black Cloud, and knowledge of endpoint security and networking is assumed. Knowledge of additional tools and technologies such as Postman and REST API and are also helpful.

Prerequisites

Before you can perform the procedures in this exercise, verify that you have access to the following components:

  • Workspace ONE UEM with permissions to manage device and applications, and Workspace ONE Intelligence enabled.
  • Workspace ONE Intelligence with admin account credentials and the Administrator role assigned.
  • VMware Carbon Black Cloud management console and admin account credentials with permissions to configure API Keys and Notifications.
  • A Windows 10 device to test the integration.            

Configuring VMware Carbon Black Cloud Prerequisites

Introduction

The integration between VMware Carbon Black Endpoint Standard and Workspace ONE Intelligence is based on REST API, which requires the creation of two sets of API Keys in VMware Carbon Black Cloud Console to allow Workspace ONE Intelligence to extract the list of reported alerts (threats).

The types of alerts to be reported are configured in VMware Carbon Black as notifications, allowing the administrator to specify the types of alerts to be reported to Workspace ONE Intelligence.

In this activity, you validate and configure the prerequisites on VMware Carbon Black Cloud Console that will be used to integrate with Workspace ONE Intelligence in a later exercise.

Logging In to the VMware Carbon Black Cloud Console

To perform most of the steps in this exercise, you must first log in to the VMware Carbon Black Cloud Console.

1. Launch Chrome Browser

Launch Chrome Browser

On your desktop, double-click the Google Chrome icon.

3. Authenticate In to the VMware Carbon Black Cloud Console

  1. Enter your email address, for example, admin@company.com.
  2. Enter your password.
  3. Click Sign In.

Creating API Keys

The VMware Carbon Black Open API platform enables you to integrate with a variety of security products including SIEMs (security information and event management), ticket tracking systems, and your own custom scripts.

When creating your API keys, you should understand the following limitations and implications:

  • SIEM API keys can receive notifications only through the notifications API. Use a SIEM API key to configure the Intelligence integration.
  • API keys can call any API except for the notifications and Live Response API. Live Response API keys can call any API except for the notifications API.
  • API keys inherit the permissions that are available to the user. Treat the API ID and API secret keys on the API keys page the same as your VMware Carbon Black Cloud console login password.

To integrate with Workspace ONE Intelligence, two sets of API Keys are required; one with API Level Access and another one with SIEM API Level Access.

Workspace ONE Intelligence uses only the SIEM API Key to connect with VMware Carbon Black to obtain the threat information, the second key (API Key) will not be used during that communication. However, the second key still required by Workspace ONE Intelligence during the configuration to integrate with VMware Carbon Black.

 

1. Add API Key with SIEM Access Level

  1. Click Settings.
  2. Click API Keys.
  3. Click + Add API Key.

2. Configure SIEM API Key

API Keys
  1. Enter SIEM Key for Workspace ONE Intelligence integration for API Key Name.
  2. Select SIEM for Access Level.
  3. Click Save.

3. Save SIEM API Key information

API Keys

A dialog box appears with the API ID and API Secret Key generated. Save both in a file and name it SIEM API Key; the keys will be used later in Workspace ONE Intelligence.

Click X to close the dialog box.

The SIEM API Key is listed as part of the API KEYS List.

4. Add API Key with API Access Level

Click + Add API Key.

5. Configure API Key

API Keys
  1. Enter API-WS1 for API Key Name.
  2. Ensure API is set for Access Level.
  3. Click Save.

6. Save API Key information

API Keys

A dialog box appears with the API ID and API Secret Key generated. Save both in a file and name it API Key; the keys will be used later in Workspace ONE Intelligence.

Click X to close the dialog box.

7. Confirm that API and SIEM Key Creation

Confirm that both API Keys are listed under the API Keys page.

Configuring Notifications

Workspace ONE Intelligence obtains the threats generated in VMware Carbon Black Cloud through notifications, which can be configured to send emails to individuals or to connected systems via API keys like Workspace ONE Intelligence.

Notifications are generated based on the detection of an alert or policy action. Workspace ONE Intelligence obtains the alerts based on the notification that your SIEM API Key is subscribed to.

In this activity, you learn how to subscribe the API Keys to notifications for Alerts and Policy Actions.

1. Add Notification

  1. Click Settings.
  2. Click Notifications.
  3. Click + Add Notification.

In the following steps, you create three different types of notifications. For each one, you must use the + Add Notification button.

2. Add Notifications for Policy Actions Terminated

Notifications
  1. Enter Global Policy Action Terminate Notification for Notification Name.
  2. Select Policy Action is enforced for When do you want to be notified?
  3. Select Terminate.
  4. Select All policies for Policy.
  5. Add your SIEM API Key  previously created for How do you want to be notified?
  6. Click Add.

3. Add Notifications for Policy Actions Denied

Notifications
  1. Enter Global Policy Action Denied Notification for Notification Name.
  2. Select Policy Action is enforced for When do you want to be notified?
  3. Select Deny.
  4. Select All policies for Policy.
  5. Add your SIEM API Key previously created for How do you want to be notified?
  6. Click Add.

4. Add Notifications for Alert Crosses a Threshold

Notifications
  1. Enter Global Alert Notification for Notification Name.
  2. Select Alert crosses a threshold for When do you want to be notified?
  3. Select Threat, Observed, and set Alert Severity to 1.
  4. Select All policies for Policy.
  5. Add your SIEM API Key  previously created for How do you want to be notified?
  6. Click Add.

5. Confirm Notifications are Created

Confirm that you have the three notifications created as part of the Notifications List. They will be used by Workspace ONE Intelligence to query the respective notifications and report the generated alerts to Workspace ONE Intelligence.

Troubleshooting Tips

You can access the notification history for each notification policy and identify the events generated. Workspace ONE Intelligence queries the notifications once to obtain the threat details and store the data.

Consider the following steps if you do not see the threat events in Workspace ONE Intelligence after the integration has finalized and has generated threat events on the endpoint.

1. Access the Notification History

Click the Notification History icon to identify the respective notification for events generated.

2. Filter the Notification Status

A filter can be used to display the notifications and respective status based on the time frame.

  • SCHEDULED status - notification was created but not yet queried by Workspace ONE Intelligence.
  • SENT status - notification was queried by Workspace ONE Intelligence.

Integrating Workspace ONE Intelligence and VMware Carbon Black

Introduction

Workspace ONE Intelligence extracts the events from VMware Carbon Black based on the alerts subscribed by the previously configured API SIEM key. This key allows the administrator to get insights through dashboards on threats reported, and also allows the administrator to leverage Intelligence automation to take action against the device and expand the threat remediation.

In this activity, you configure the VMware Carbon Black integration with Workspace ONE Intelligence.

Configuring VMware Carbon Black Integration in Workspace ONE Intelligence

Before you can integrate VMware Carbon Black with Workspace ONE Intelligence, you must launch the Workspace ONE Intelligence console. The VMware Carbon Black integration is available as part of the Trust Network integration in Workspace ONE Intelligence.

1. Launch Workspace ONE Intelligence Console

Devices > Dashboard

From the Workspace ONE UEM Console:

  1. Click the Square menu icon.
  2. Select Workspace ONE Intelligence.

2. Set Up VMware Carbon Black Integration

Workspace ONE Intelligence
  1. Click Integrations under Settings.
  2. Click Trust Network.
  3. Click Set Up on the Carbon Black card.

3. Configure the Carbon Black Integration

Workspace ONE Intelligence
  1. Enter the Base URL, which is the API URL for your respective VMware Carbon Black environment. To obtain the correct API URL, see PSC: What URLs are used to access the APIs? in the VMwareCarbon Black Community.

Next, add the API Key information related to the previously created SIEM API Key:

  1. For the SIEM Connector ID, add the SIEM API Key – this is the key that has SIEM API Access Level.
  2. For the SIEM Key, add the SIEM API Secret Key related to the SIEM API Key.

Finally, add the API Key information related to the API Key previously created with API Access Level:

  1. For the API Connector ID, add the API Key with API Access Level Key - this is the key that has API Access Level.
  2. For the API Key, add the API Secret Key related to the API Key with API Access Level.
  3. Click Authorize.

Note: Workspace ONE Intelligence uses only the SIEM Keys; the API Keys requested today are reserved for future use.

4. Confirm that the Integration is Successful

Workspace ONE Intelligence

An Authorized Status displays on the Carbon Black card – this confirms that Workspace ONE Intelligence can communicate with the respective VMware Carbon Black Cloud environment.

From this point Workspace ONE Intelligence will query Carbon Black Notifications using REST API to obtain threat alerts generated on the devices.

NOTE: If multiple Workspace ONE Intelligence attempts to reach out Carbon Black fails, the connection will be automatically deauthorized by Workspace ONE Intelligence and administrator will require to access the console to reauthorize.

Downloading Codes and Sensor Kits

Introduction

The sensor install and removal processes require a code. This code represents the identifier used to connect the endpoint with the respective VMware Carbon Black Cloud environment tenant. 

There are three types of code:

  • Registration Code - a single code to install the sensor in multiple devices only via command line or distribution tools like Workspace ONE UEM.
  • Activation Code - a unique code for a specific user to install the sensor via UI; the company code does not work when installing the sensor via UI.
  • Deregistration Code - a unique code used to allow the uninstall of the Carbon Black sensor.

These codes are required later in this operational tutorial. Ensure that you have copied the codes or have them easily accessible.

Downloading Registration and Activation Codes

The following steps explain how to obtain the code required for the installation of Carbon Black Sensor.

1. Access Registration Codes

Access registration codes on VMware Carbon Black
  1. Click Endpoints.
  2. Click Sensor Options.
  3. Click Company Codes.
  4. OPTIONAL: If the registration or deregistration code is missing, click the appropriate Generate New Code button.
  5. Copy the Registration Code which is required for a later exercise to perform the installation via Workspace ONE.
  6. Copy the Deregistration Code which is required for a later exercise to configure uninstallation via Workspace ONE.

2. (Optional) Request Activation Code for Sensor deployment via UI Installer

This step is optional and is included to guide you through the required steps to install Carbon Black Cloud Sensor via UI Installer.

Configure Sensor options in VMware Carbon Black
  1. Click Endpoints.
  2. Click Sensor Options.
  3. Click Send installation request.

2.1. Send Installation Request

Sensor Management in VMware Carbon Black
  1. Enter the First Name.
  2. Enter the Last Name.
  3. Enter an Email that will receive the activation code and link to download the installer.
  4. Click Send.

The user receives an email similar to the example shown, which includes the unique Activation Code to be used during the UI installation.

Downloading Sensor Kits

Download the Carbon Black Cloud Sensor installer for multiple platforms from the VMware Carbon Black Cloud Console or email the sensor installer directly to the end user as part of the installation request process. 

The following steps illustrate how to download the Carbon Black sensors for macOS and Windows 10.

1. Access the Sensor Download

Download Sensor Kits on VMware Carbon Black Cloud console
  1. Click Endpoints.
  2. Click Sensor Options.
  3. Click Download Sensor Kits.

2. Download the Carbon Black Sensor for macOS and Windows 10

Download Sensors for macOS and Windows 10 on VMware Carbon Black Cloud console.
  1. Click Download Kit for Windows 64-bit to obtain the installer for Windows 10.
  2. Click Download Kit for macOS 10.10-10.15 to obtain the installer for macOS.
  3. Click Close.

Deploying Carbon Black Sensor for Windows 10

Introduction

To protect the endpoint, the Carbon Black Cloud sensor must be installed.

VMware Carbon Black Cloud sensor (formerly CB Defense) acts as an agent on the endpoint; it communicates with the VMware Carbon Black Cloud to provide data to the analytics engine.

Deploying Carbon Black Cloud Sensor Manually on Windows 10

Launch the Carbon Black Cloud Sensor MSI to initiate the installation process and click Next until you receive a request to enter the activation code (Company Code). Although a unique code can be sent directly to the end user via email, this activity uses the global company code.

Install Carbon Black Cloud Sensor

Deploying Carbon black sensor on Windows 10
  1. Enter the Activation Code as obtained in Send Installation Request.
  2. Click Install.

After the installation is complete, the Carbon Black Cloud sensor runs as a service. Open Windows Services to confirm.

Note: The Registration Code cannot be used with this type of installation. You must use the Activation code sent via email.

Deploying Carbon Black Cloud Sensor as a Managed Application with Workspace ONE UEM

The Carbon Black Cloud sensor can be deployed as a managed application with Workspace ONE UEM allowing the administrator to silently deploy the sensor across all managed devices.

From the Workspace ONE UEM Console, upload the Carbon Black Cloud Sensor MSI as an internal application.

Configure Sensor Deployment Options

Configure carbon black Sensor deployment options in Workspace ONE UEM console

Add the Carbon Black Cloud sensor as an internal application and configure the deployment options as follows:

  1. Set the Install Command as msiexec /i "installer_vista_win7_win8-64-3.5.0.1523.msi" /qn COMPANY_CODE=<REPLACE WITH YOUR REGISTRATION CODE> Note: You can add /log <file name> to the Install Command to obtain the installation log file to help with troubleshooting.
  2. Ensure Admin Privileges is set to YES - Carbon Black Cloud sensor requires admin privileges for installation.
  3. Update the MSI file name as needed and replace the <REPLACE WITH YOUR CODE> tag with the previously obtained Company Code.
    All the other parameters related to the How to Install section are automatically set by Workspace ONE UEM.
  4. Click Save & Assign and assign the Carbon Black Cloud sensor application to the Assignment Groups that represent the devices that should have the sensor installed.

Note: The Company Code refers to the registration code as obtained in Access Registration Codes.

Deploying Carbon Black Sensor for macOS

Introduction

To protect the endpoint, the Carbon Black Cloud sensor must be installed. VMware Carbon Black Cloud sensor (formerly CB Defense) acts as an agent on the endpoint; it communicates with the VMware Carbon Black Cloud to provide data to the analytics engine.

This section of the tutorial provides guidance on how to deploy the Carbon Black sensor for macOS through Workspace ONE UEM and manually.  

Note: The content in this portion of the Operational Tutorial might vary based on the specific version of Carbon Black cloud and Workspace ONE UEM. The content in this guide was created using Workspace ONE UEM 2004.

macOS Prerequisites for Deploying Carbon Black Cloud Sensor

Prior to deploying the Carbon Black sensor for macOS, Workspace ONE administrators must configure a few prerequisites within macOS. These prerequisites ensure that the Carbon Black sensor has appropriate permissions for macOS High Sierra and later.

1. Add Profile

Add Profile for Carbon Black sensor in Workspace ONE UEM admin console
  1. Click Add.
  2. Click Profile.

2. Select macOS Profile

Select macOS profile in Workspace ONE UEM admin console

Select macOS.

3. Select Device Profile

Select device profile in Workspace ONE UEM admin console

Select Device Profile.

4. Configure General Tab

Configure Carbon black sensor profile in Workspace ONE UEM admin console

Configure the General profile settings as necessary, but include the following:

  1. Enter a Name for the profile (such as Carbon Black Settings).
  2. Select Auto as the Assignment Type.
  3. Select an appropriate Smart Group.

Tip: The smart groups that you select here should match the smart groups used for deploying the Carbon Black sensor for macOS in a later exercise.

5. Configure Kernel Extension Policy Payload

Configure Kernel Extension Policy in Workspace ONE UEM admin console

Carbon Black recommends submitting the applicable Carbon Black Defense KEXT IDs for approval by Workspace ONE UEM before install or upgrade of macOS sensor version 3.0 and later.

  1. Click Kernel Extension Policy.
  2. Click Configure.

6. Enter Kernel Extension Policy Settings

Configure Kernel extensions in Workspace ONE UEM Admin console
  1. Enter the Carbon Black team identifier: 7AGZNQ2S2T
  2. Enter the Carbon Black Kernel Extension Bundle ID:  com.carbonblack.defense.kext

7. Configure Privacy Preferences Payload

  1. Click Privacy Preferences.
  2. Click Configure.

8. Add App Privacy Preferences

Click Add App.

9. Configure Privacy Preferences

Configure privacy preferences for macOS profile in Workspace ONE UEM admin console

For the macOS sensor to operate at full functionality on an endpoint that is running macOS 10.14.5+, the sensor must have full disk access on the endpoint. This payload grants the CBDefense sensor full disk access.

  1. Enter CbDefense.
  2. Select Bundle ID.
  3. Copy and paste the following code requirement: identifier CbDefense and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T"
  4. Scroll down to the list of Services.
  5. Select Allow for System Policy All Files.
  6. Click Save.

10. Save and Publish the Profile

Save and publish the macOS profile in Workspace ONE UEM admin console

Click Save and Publish.

11. Publish the Profile

Publish the macOS profile in Workspace ONE UEM admin console

Click Publish.

Deploying Carbon Black Cloud Sensor Manually on macOS

Launch the Carbon Black Cloud Sensor installation package to initiate the installation process. Click Next until you receive a request to enter the activation code (from the activation email, as shown in Request Activation Code for Sensor deployment via UI Installer). Although a unique code can be sent directly to the end user via email, this activity uses the global company code.

1. Launch Installer

Run VMware Carbon Black Cloud sensor installer on macOS
  1. Double-click the downloaded dmg, and then launch CbDefense Install.
  2. Click Continue in the run a program prompt.
  3. Click Continue twice.

2. Accept Terms of Use

Agree to terms of use to install VMware Carbon Black Cloud sensor on macOS

Click Agree.

3. Enter Activation Code

  1. Enter the Activation Code from Send Installation Request.
  2. Click Continue then click Install.

Note: If prompted, enter the password for an administrative user.

4. Close the Installer

Close VMware Carbon Black cloud sensor installer on macOS

Click Close.

macOS Prerequisites for Deploying Carbon Black Cloud Sensor as a Managed Application

When creating a non-store, managed application for macOS in Workspace ONE, admins must supply the icon file, installer (dmg or pkg), and metadata file. The metadata file contains details allowing the Workspace ONE Intelligent Hub for macOS to determine if the managed application is installed and if the installed application is the correct version.  

Prior to configuring the Sensor kit deployment, you must generate the required icon and metadata file with the Workspace ONE Admin Assistant application. Additionally, the structure of the sensor kit deployment package requires some additional modification to the metadata (PLIST) file prior to deployment. 

This section demonstrates how to parse the sensor kit and modify the PLIST file to correctly distribute the Carbon Black sensor as a managed application.

1. Upload Sensor Kit to Workspace ONE Admin Assistant

Place Sensor Kit onto Workspace ONE Administrative Assistant in macOS

Open the Workspace ONE Administrative Assistant, then drag the Sensor Kit (confer_installer_mac-<version>.dmg) downloaded from the Carbon Black cloud onto the Workspace ONE Admin Assistant.

2. Reveal Output in Finder

Click Reveal in Finder when complete.

3. Open Plist for Modifications

  1. Expand the CbDefense Install-<version> folder and right-click CbDefense Install-<version>.plist.
  2. Click Open With.
  3. Select the editor of your choice, such as BBEdit, Visual Studio Code, Xcode, or TextEdit.

Note: For the remainder of this tutorial, text editing and manipulation examples are shown in BBEdit.

4. Make Modifications to the Plist

Add the following XML snippets to the file between the outer <dict></dict> tags as shown in the previous screenshot.

Installs Array:

  • Modify the values for CFBundleShortVersionString and CFBundleVersion to match the version you are deploying.
	<key>installs</key>
	<array>
		<dict>
			<key>CFBundleIdentifier</key>
			<string>CbDefense</string>
			<key>CFBundleName</key>
			<string>CbDefense</string>
			<key>CFBundleShortVersionString</key>
			<string>3.4.2.23</string>
			<key>CFBundleVersion</key>
			<string>3.4.2.23</string>
			<key>minosversion</key>
			<string>10.6</string>
			<key>path</key>
			<string>/Applications/Confer.app</string>
			<key>type</key>
			<string>application</string>
			<key>version_comparison_key</key>
			<string>CFBundleShortVersionString</string>
		</dict>
	</array>

Note
You must replace the CFBundleShortVersionString and CFBundleVersion values in the installs array if those are different for the particular version of the Sensor you are deploying. 

Alternatively, you can generate the installs array one of the following ways:

  1. Export Confer.app from the installer package (using an app such as Suspicious Package) and run Confer.app through the Workspace ONE Admin Assistant app. The PLIST generated in this instance contains the appropriate installs array information.
  2. If the Carbon Black sensor kit is installed on the machine with Workspace ONE Admin Assistant, copy Confer.app to your ~/Downloads directory (cp -R /Applications/Confer.app ~/Downloads) and then parse ~/Downloads/Confer.app through the Workspace ONE Admin Assistant app. The PLIST generated in this instance contains the appropriate installs array information.

If you use Confer.app to generate an installs array, ensure you only copy the installs array (and no other key-value pairs) into the CbDefense Install-.plist file.

5. Save and Close

Save and Close the modified PLIST in your editor of choice.

Deploying Carbon Black Cloud Sensor as a Managed Application with Workspace ONE UEM

With the PLIST file modified and the prerequisites deployed, a Workspace ONE administrator is ready to deploy the Carbon Black cloud sensor to enrolled macOS device.

1. Add Application

Add application for Carbon Black cloud sensor in Workspace ONE UEM admin console

In the Workspace ONE UEM admin console, perform the following steps:

  1. Click Apps & Books.
  2. Click Native.
  3. Click Internal.
  4. Click Add Application.

2. Upload App

Click Upload.

3. Choose and Save File

Select Carbon Black cloud sensor for macOS in the Workspace ONE UEM admin console
  1. Click Choose File. Browse to the confer_installer_mac-<version>.dmg  file generated by the Workspace ONE Admin Assistant and click Choose.
  2. Click Save.
  3. Click Continue.

4. Upload Metadata File

Select the PLIST file for Carbon black cloud sensor for macOS in the Workspace ONE UEM admin console
  1. Click Upload.
  2. Click Choose File. Browse to the CbDefense Install-3.4.2.23.plist  file generated by the Workspace ONE Admin Assistant and click Choose.
  3. Click Save.
  4. Click Continue.

5. Add Image for App Install

Drag the CbDefense Install.png graphic to the Workspace ONE UEM console.

6. Add Preinstall Script

Edit script to install Carbon black cloud sensor for macOS
  1. Select the Scripts tab.
  2. Paste the following Script into the Pre-Install Script making sure to replace the Code value with your Registration Code as obtained in Access Registration Codes.

Note: The pre-install script is used to populate a configuration file which is read/consumed by the Carbon Black sensor kit installation.  

Option 1:  Pre-Install Script with only the Registration Code

This option includes the bare minimum required information (the Registration Code) to install the Carbon Black Cloud Sensor for macOS.  

#!/bin/bash
PATH="/tmp/cbdefense-install"
/bin/mkdir -p "$PATH"
/usr/bin/touch "$PATH/cfg.ini"
/bin/chmod 644 "$PATH/cfg.ini"
/bin/cat > "$PATH/cfg.ini" <<- EOM
[customer]
Code=12345
EOM

Option 2: Advanced Pre-Install Script

The following contains a pre-install script with additional values which can be used to customize the Sensor installation. Use these at your discretion and refer to the Carbon Black documentation as for the proper usage and parameter values.

#!/bin/bash
PATH="/tmp/cbdefense-install"
/bin/mkdir -p "$PATH"
/usr/bin/touch "$PATH/cfg.ini"
/bin/chmod 644 "$PATH/cfg.ini"
/bin/cat > "$PATH/cfg.ini" <<- EOM
[customer]
Code=${COMPANY_CODE}
ProxyServer=${PROXY_SERVER}
ProxyServerCredentials=${PROXY_CREDS}
LastAttemptProxyServer=${LAST_ATTEMPT_PROXY_SERVER}
PemFile=customer.pem
AutoUpdate={true|false}
AutoUpdateJitter={true|false}
InstallBypass={true|false}
FileUploadLimit=${FILE_UPLOAD_LIMIT}
GroupName=${GROUP_NAME}
EmailAddress=${USER_NAME}
BackgroundScan={true|false}
RateLimit=${RATE_LIMIT}
ConnectionLimit=${CONNECTION_LIMIT}
QueueSize=${QUEUE_SIZE}
LearningMode=${LEARNING_MODE}
{POC=1}
CbLRKill={true|false}
HideCommandLines={true|false}
EOM

7. Add Uninstall Script

Define uninstall script for carbon black cloud sensor for macOS in Workspace ONE UEM admin console
  1. Scroll to the Uninstall Scripts section.
  2. Choose Uninstall Script as the uninstall method.
  3. Ensure your script is ready, then paste the uninstall script (including the Deregistration Code found in Access Registration Codes) in the Uninstall Script section.

Uninstall Script:

#!/bin/bash
/Applications/Confer.app/uninstall -y -c {Deregistration_Code}

8. Set Deployment Options

  1. Select No for Blocking Applications.
  2. Click Save and Assign.

Note: Blocking Apps should be set to NO as the end-user does not need to be prompted to close any Carbon Black applications.   This is all handled by the Intelligent Hub and the Carbon Black sensor installer.

9. Configure Distribution

Distribution settings for Carbon Black cloud sensor for macOS
  1. Enter a name for the Distribution. For example, All Macs.
  2. Select Assignment Groups containing the devices which should receive the Carbon Black cloud sensor.
  3. Select Auto.
  4. Determine if you want the user to see the Carbon Black install in their App Catalog. In most cases, this can be Disabled.

10. Configure Restrictions and Create

Configure Restrictions for carbon black cloud sensor for macOS
  1. Click Restrictions.
  2. Enable Remove on Unenroll.
  3. Enable Desired State Management.
  4. Click Create.

11. Save Assignment

  1. If required, click Exclusions to add exclusions to the assignments.
  2. If required, click Add Assignment and repeat the steps starting at Configure Distribution.
  3. If required, adjust the priority for the assignments.
  4. Click Save.

12. Publish Assignment

Publish assignments for Carbon Black Cloud sensor for macOS

Review the assignment Preview and click Publish.

Confirming Carbon Black Sensor Installation

Introduction

In this section, confirm that the Carbon Black Cloud Sensor has deployed successfully to chosen devices.

Confirming Carbon Black Sensor Deployment in Carbon Black Console

In this activity, use the VMware Carbon Black Cloud Console to confirm that the Carbon Black Cloud sensor was deployed to endpoints.

1. Confirm Sensor Deployment in VMware Carbon Black Cloud Console

To confirm the installation of Carbon Black Cloud sensor on the endpoints, log in to the VMware Carbon Black Cloud Console and under EndPoints, review the list of the endpoints that checked-in with Carbon Black.

You can identify the endpoint status for each; green means the device is in communication with VMware Carbon Black Cloud.

Confirming Carbon Black Sensor Deployment in Workspace ONE UEM

In this activity, use the Workspace ONE UEM Admin Console to confirm that the sensor was installed as a managed application on assigned devices.

1. Confirm Sensor Installed as a Managed Application

Confirm that Carbon Black Cloud sensor was installed for macOS on Workspace ONE UEM Admin console

In the Workspace ONE UEM Console, navigate to Devices > List View. Select a device and click Apps to confirm that the Carbon Black Cloud Sensor is installed as a managed application on the devices you assigned.

Confirming Sensor Install on Windows 10

In this activity, validate that the Carbon Black Cloud sensor for Windows has installed successfully.

1. Validate UI for Sensor Install

Locate carbon black cloud sensor on Windows task bar

Locate the Carbon Black Cloud Sensor on the Windows Task Bar.

2. Review Logging

The installation log is available under the temp folder defined for the endpoint, you can access this folder using the %TEMP% variable through Windows Explorer or command line. The default name for the log file is log.txt or the named defined when using the /L parameter during installation.

Review the log for a note about the Install of CbDefense was successful.

A confer-temp.log file is also generated under the temp folder, which shows the sensor registration attempts to the cloud. These two log files are required for troubleshooting installation and upgrade issues.

Confirming Sensor Install on macOS

In this activity, validate that the Carbon Black Cloud sensor for macOS has installed successfully.

1. Validate UI for Sensor Install

Open Confer app in macOS to confirm installation of Carbon Black Cloud sensor for macOS
  1. Open Finder and click Applications.
  2. Ensure the Confer app is present.
  3. You may also see the Confer menulet in the menu bar.

2. Review Logging

Review log to confirm if the Carbon Black Cloud sensor for macOS was installed
  1. Open Terminal.App and type the following command:   tail -50 -F /Library/Application\ Support/AirWatch/Data/Munki/Managed\ Installs/Logs/ManagedSoftwareUpdate.log
  2. Review the log for a note stating that the Install of CbDefense was successful.

Simulating Threat Events and Validating the Integration

Introduction

You can easily validate the integration between VMware Carbon Black and Workspace ONE Intelligence by simulating suspicious activities on the endpoint. The activities are identified and remediated by the Carbon Black Cloud sensor, which reports back to VMware Carbon Black Cloud and makes those available as alerts. Based on the notification settings previously configured, the alerts are available and extracted by Workspace ONE Intelligence every 30 seconds.

In this activity, you learn how to generate suspicious activities on the endpoint to generate alerts in VMware Carbon Black Cloud, and get those as insights into Workspace ONE Intelligence.

Simulating Suspicious Activities on the Endpoint

In this activity, learn how to generate suspicious activity on the endpoint to create alerts, and identify corresponding alerts in VMware Carbon Black and Workspace ONE Intelligence.

Open an Internet Browser on Windows 10 Device

Windows 10 E 1803 Jan-2019 - Intelligence Bootcam

On the Windows 10 device where the Carbon Black Cloud Sensor is installed, open an Internet Browser and access the following URL https://www.eicar.org/?page_id=3950, download the Anti Malware Test File eicar.com located on that page.

The download will be blocked by Carbon Black Sensor, it will generate an alert in VMware Carbon Black Cloud and later syncs with Workspace ONE Intelligence.

Identifying Alerts in the VMware Carbon Black Cloud Console

The generated threats are first available in Carbon Black Cloud and can be visualized through the Carbon Black Console.

Alerts indicate known threats and suspicious behavior across endpoints.

Alerts
Alerts

In the VMware Carbon Black Cloud Console, click Alerts. You should see multiple Alerts generated by the activity on the endpoint classified as Severity 6, the first and last seen time for each of the events, and so on.

Identifying Alerts in the Workspace ONE Intelligence Console

As a result of the Workspace ONE Intelligence integration with Carbon Black, the threat data is synchronized and available as insights using the dashboard on Workspace ONE Intelligence.

Identify alerts from Carbon Black in Workspace ONE Intelligence
Workspace ONE Intelligence

For a list of all available alerts in the Workspace ONE Intelligence Console, go to the Threat Summary dashboard under Security Risk and click View

You can order the result by clicking the Event Time column. 

You should see at least two events. Compare the Event Time occurrence for both alerts – in Workspace ONE Intelligence, check the Event Time column and in the VMware Carbon Black Console, check the First Seen column.

 

Carbon Black Dashboards and Automation in Workspace ONE Intelligence

Introduction

In this activity, you review the custom dashboards available for threats and learn how to extend threat remediation with automation.

Reviewing Custom Dashboards for Threats

In addition to the out-of-the-box dashboard, administrators can take advantage of the custom dashboard and create customized visualizations and personalized widgets.

Workspace ONE Intelligence includes a set of template widgets for VMware Carbon Black threats to help you to easily create a dashboard.

Create Custom Dashboards for Threats

Workspace ONE Intelligence

Extending Threat Remediation and Device Quarantine with Automation

The integration of VMware Carbon Black and Workspace ONE Intelligence enables automation based on threats, where the administrator can take actions against the device or third-party tools based on the incoming threats reported by VMware Carbon Black.

Workspace ONE Intelligence

As an example, you can quarantine devices in VMware Carbon Black when high threats are detected on Windows devices. In addition, you can take the following actions:

  • Tag the device as At Risk in Workspace ONE UEM, making the UEM administrator aware of devices vulnerable.
  • Notify the end-user via e-mail.
  • Notify the security team via Slack about the attack and share all the relevant information.
  • Create an incident ticket in ServiceNow for tracking and audit purposes.

To quarantine a device in VMware Carbon Black, leverage the Automation Custom Connector that allows you to extend the automation capabilities against other systems and tools through REST API.

Steps to Setup VMware Carbon Black Custom Connector

To set up the VMware Carbon Black Custom Connector in Workspace ONE Intelligence to enable quarantine device action, download the VMware Carbon Black Cloud Sample Collection from GitHub and follow the instructions.

Summary and Additional Resources

Conclusion

This operational tutorial provided steps on how to configure the integration between Workspace ONE Intelligence and VMware Carbon Black to obtain threat insights and extend threat remediation with the Workspace ONE Intelligence Automation engine.

Procedures included:

  • Configuring prerequisites
  • Integrating Workspace ONE Intelligence and VMware Carbon Black
  • Deploying the Carbon Black Cloud Sensor on Windows 10 and macOS
  • Validating the integration

For more information about Workspace ONE Intelligence, see the following resources:

Terminology Used in This Tutorial

The following terms are used in this tutorial:

application store A user interface (UI) framework that provides access to a self-service catalog, public examples of which include the Apple App Store, the Google Play Store, and the Microsoft Store.
auto-enrollment Auto-enrollment simplifies the enrollment process by automatically enrolling registered devices following the Out-of-Box-Experience.
catalog A user interface (UI) that displays a personalized set of virtual desktops and applications to users and administrators. These resources are available to be launched upon selection.
cloud Asset of securely accessed, network-based services and applications. A cloud can also host data storage. Clouds can be private or public, as well as hybrid, which is both private and public.
device enrollment The process of installing the mobile device management agent on an authorized device. This allows access to VMware products with application stores, such as Workspace ONE Access (formerly VMware Identity Manager).
identity provider (IdP) A mechanism used in a single-sign-on (SSO) framework to automatically give a user access to a resource based on their authentication to a different resource.
mobile device management
(MDM) agent
Software installed on an authorized device to monitor, manage, and secure end-user access to enterprise resources.
one-touch login A mechanism that provides single sign-on (SSO) from an authorized device to enterprise resources.
service provider (SP)
A host that offers resources, tools, and applications to users and devices.
virtual desktop The user interface of a virtual machine that is made available to an end user.
virtual machine A software-based computer, running an operating system or application environment, that is located in the data center and backed by the resources of a physical computer.

For more information, see the VMware Glossary.

Additional Resources

For more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. The activity path provides step-by-step guidance to help you level-up in your Workspace ONE knowledge. You will find everything from beginner to advanced curated assets in the form of articles, videos, and labs.

Additionally, you can check out the VMware Workspace ONE and VMware Horizon Reference Architecture which provides a framework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and VMware Horizon. 

 

Change Log

The following updates were made to this guide:

Date Change
2020/07/1
  • Added steps to deploy Carbon Black Sensor on macOS

About the Authors and Contributors

This tutorial was written by:

  • Andreano Lanusse, End-User-Computing Staff Architect, Technical Marketing, VMware.

Contributors to this tutorial:

  • Robert Terakedis, Senior Technical Marketing Manager, End-User Computing, VMware.

Feedback

The purpose of this tutorial is to assist you. Your feedback is valuable. To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.

Filter Tags

  • Workspace ONE
  • Intermediate
  • Operational Tutorial
  • Document
  • Carbon Black Cloud
  • Workspace ONE UEM
  • Manage