Integrating Workspace ONE Intelligence and VMware Carbon Black: Workspace ONE Operational Tutorial

Overview

Introduction

VMware provides this operational tutorial to help you with your VMware Workspace ONE® environment. VMware Workspace ONE® Intelligence™ is designed to simplify user experience without compromising security. The intelligence service aggregates and correlates data from multiple sources to give you complete visibility into your entire environment. This includes automated workflow processes leveraging the Automation engine to take actions against the devices managed by Workspace ONE UEM and integrated actions with third-party tools.

The VMware Carbon Black Cloud™ is a cloud-native endpoint protection platform (EPP) that combines the intelligent system hardening and behavioral prevention needed to keep emerging threats at bay, using a single lightweight agent and an easy-to-use console.

In today’s environment, merely blocking known malware is obsolete. Cybercriminals continually learn how to obscure their actions amid the ever-growing activity within your organization. Polymorphic ransomware and file-less attacks are growing in prevalence, so legacy approaches to prevention leave you vulnerable.

In this tutorial, you will learn how to configure the integration between Workspace ONE Intelligence and VMware Carbon Black to obtain threat insights and extend threat remediation with Custom Connector and the  Workspace ONE Intelligence Automation engine.

Watch the Workspace ONE Intelligence and VMware Carbon Black: Automating Device Quarantine -Technical Overview video to view the steps you will go through in this tutorial.

Audience

This operational tutorial is intended for IT security professionals and Workspace ONE administrators of existing production environments. Familiarity with Workspace ONE Intelligence, Workspace ONE UEM, VMware Carbon Black Cloud, and knowledge of endpoint security and networking is assumed. Knowledge of additional tools and technologies such as Postman and REST API and are also helpful.

Prerequisites

Before you perform the procedures in this guide, verify that you have access to the following components:

  • Workspace ONE UEM with permission to manage devices and applications, and Workspace ONE Intelligence enabled
  • Workspace ONE Intelligence with admin account credentials and the Administrator role assigned
  • VMware Carbon Black Cloud management console and admin account credentials with permission to configure API Keys
  • A Windows 10 device to test the integration

How the Integration Works

Introduction

When Workspace ONE Intelligence is integrated with VMware Carbon Black Cloud, you can set up automatic actions to mitigate threats to your managed devices. This chapter describes how this integration works in the example of a device quarantine.

Workflow Integration Applied to a Device Quarantine Use Case

Workspace ONE Intelligence provides an automation engine that enables IT administrators to take actions on managed devices based on multiple sources of data. When integrated with VMware Carbon Black Cloud, Workspace ONE Intelligence receives alerts and enables automated workflows based on incoming threats, to allow you to take automated actions on the device.

For example, malware can be identified by the Carbon Black Sensor on the device as a high threat severity, which generates alerts in Carbon Black Cloud. The integration enables Workspace ONE Intelligence to receive those alerts and take action on the device based on automated workflows, such as to quarantine the device blocking network communication with other devices in the organization.

Carbon Black Cloud uses the Data Forward API to obtain the alerts and make them available in Workspace ONE Intelligence. A set of Carbon Black API Keys is required to enable the integration in Workspace ONE Intelligence. The Data Forward API enables access to different types of events. For this integration, however, only alerts (event type = CB_ANALYTICS) are pulled out by Workspace ONE Intelligence.

The Data Forward API accumulates data in batches before making it available in Workspace ONE Intelligence. Alerts are batched every 30 seconds.

A single threat can generate multiple alerts which are sent to Workspace ONE Intelligence. Automation based on Carbon Black threats that match the income condition will trigger the configured actions based on the first event only. Incoming updates for the same alert won't trigger the automation for the next 30 minutes. This avoids multiple executions of the same automation for the same alert within a short period of time.

At the end of this tutorial, you will be able to reproduce this entire workflow on your environment.

Understanding Threat Status (Detected vs Allowed)

A single threat can generate multiple events that are sent to Workspace ONE Intelligence. However, the original alert is tagged as "Detected" and subsequent events that occur within 30 minutes for the same alert are tagged as Threat Status "Allowed".

By default, automation based on Carbon Black threats is triggered only for the "Detected" threats. Incoming updates for the same threat do not trigger the automation for the next 30 minutes. This avoids multiple executions of the same automation for the same alert within a short period of time. Also, when using custom widgets, consider adding the condition Threat Status <equal> "Detected".

Configuring VMware Carbon Black Cloud Prerequisites

Introduction

In this chapter, you will learn how to create the API Key required to integrate Workspace ONE Intelligence and Carbon Black.

Logging in to the VMware Carbon Black Cloud Console

To perform most of the steps in this exercise, you must first log in to the VMware Carbon Black Cloud Console.

1. Launch Chrome Browser

Launch Chrome Browser (confer app, security risk, suspicious activity, suspicious package

On your desktop, double-click the Google Chrome icon.

3. Authenticate to the VMware Carbon Black Cloud Console

confer app, security risk, suspicious activity, suspicious package
  1. Enter your email address; for example, admin@company.com.
  2. Enter your password.
  3. Click Sign In.

Creating Custom Access Level and API Key

The VMware Carbon Black Open API platform enables you to integrate with a variety of security products, including SIEMs (security information and event management), ticket tracking systems, and your own custom scripts.

To integrate with Workspace ONE Intelligence, only a single set of API Keys with Custom Level access is required. When enabled, this allows Workspace ONE Intelligence to start pulling events from Carbon Black.

 

1. Create Custom Access Level

1.1. Configure Custom Access Level

  1. Name the Access Level as Event forward access level.
  2. Add a description.
  3. Search for the Event Forwarding category, and select the permissions Create, Read, Update, and Delete.
  4. Click Save.

1.2. Confirm that Custom Access Level was created

Confirm that the new custom access level is listed as part of the Access Levels list.

2. Add API Key with Custom Access Level

confer app, security risk, suspicious activity, suspicious package
  1. Click API Keys.
  2. Click + Add API Key.

2.1. Configure API Key

API Keys (confer app, security risk, suspicious activity, suspicious package
  1. For API Key Name, enter Intelligence integration.
  2. For Access Level, select Custom.
  3. Select the Custom Access Level previously created; for example, Event forward access level.
  4. Click Save.

2.2. Save API Key information

API Keys (confer app, security risk, suspicious activity, suspicious package

A dialog box appears with the API ID and API Secret Key generated.

  1. Save the API ID and API Secret Key in a file and name it  Carbon Black API Key. The keys will be used later in Workspace ONE Intelligence.
  2. Click X to close the dialog box.

The SIEM API Key is listed as part of the API KEYS List.

2.3. Confirm the API Key has been created

confer app, security risk, suspicious activity, suspicious package

Confirm that the API Key is listed on the API Keys tab.

Integrating Workspace ONE Intelligence and VMware Carbon Black Cloud

Introduction

Workspace ONE Intelligence receives alert type events from VMware Carbon Black based on threats detected on the endpoint. This allows the administrator to get insights through dashboards on threats reported, and also allows the administrator to leverage Intelligence automation to take action against the device and expand the threat remediation.

In this activity, you configure the VMware Carbon Black Cloud integration with Workspace ONE Intelligence, enabling access to Carbon Black's threat data into Workspace ONE Intelligence.

Configuring VMware Carbon Black Cloud Integration in Workspace ONE Intelligence

Launch the Workspace ONE Intelligence console to perform the integration with VMware Carbon Black Cloud. This integration is available as part of the Trust Network integration in Workspace ONE Intelligence.

1. Launch Workspace ONE Intelligence Console

Devices > Dashboard (confer app, security risk, suspicious activity, suspicious package

From the Workspace ONE UEM Console:

  1. Click the Square menu icon.
  2. Select Workspace ONE Intelligence.

2. Set Up Carbon Black Integration

Workspace ONE Intelligence (confer app, security risk, suspicious activity, suspicious package
  1. Under Settings, click Integrations.
  2. Click Trust Network.
  3. Click Set Up on the Carbon Black card.

3. Configure the Carbon Black Integration

Workspace ONE Intelligence (confer app, security risk, suspicious activity, suspicious package
  1. Enter the Base URL, which is the API URL for your respective VMware Carbon Black environment.

    To obtain the correct API URL, see PSC: What URLs are used to access the APIs? in the VMware Carbon Black Community.

    IMPORTANT: You must configured the Carbon Black Base URL based on the supported mapping with Workspace ONE Intelligence as described here.

  2. For the API ID, enter the API Key with API Access Level Key. This is the key that has API Access Level.
  3. For the API Key, enter the API Secret Key related to the API Key with API Access Level.
  4. Enter the Org Key.
  5. Click Authorize.

Note: Workspace ONE Intelligence uses only the SIEM Keys; the API Keys requested now are reserved for future use.

4. Confirm that the Integration is Successful

Workspace ONE Intelligence (confer app, security risk, suspicious activity, suspicious package

An Authorized Status displays on the Carbon Black card. This confirms that Workspace ONE Intelligence can communicate with the respective VMware Carbon Black Cloud environment.

From this point, Workspace ONE Intelligence will query Carbon Black Notifications using REST API to obtain threat alerts generated on the devices.

Note: If multiple communication attempts from Workspace ONE Intelligence to Carbon Black fail, the connection is automatically deauthorized by Workspace ONE Intelligence, and the administrator must access the console to reauthorize.

5. Confirm Data Forward is Successfully Configured

  1. A data forward configuration (Alert Type) will be created in Carbon Black Cloud as a result of the configuration in Workspace ONE Intelligence. This establishes a trust between Carbon Black and Workspace ONE Intelligence, allowing Carbon Black Cloud to push the data alerts into Workspace ONE Intelligence S3 buckets. If you turn off the data forward, alerts will stop being sent to Workspace ONE Intelligence.

Note: When these forwarders are created, ONLY alert forwarder will be enabled by default, and endpoint forwarder will be disabled. This status must be maintained. DO NOT ENABLE “endpoint event data forwarder shouldn’t be enabled” at this point.

Deploying Carbon Black Cloud Sensor on Endpoint

Introduction

This section describes how to deploy Carbon Black Cloud Sensor on a Windows 10 or macOS device. This is required to protect the endpoints against threats and to take advantage of the analytical capabilities of Carbon Black.

How to Deploy Carbon Black Cloud Sensor on Windows 10 and macOS

Carbon Black Cloud Sensor is a lightweight agent that protects the endpoint against threats and is part of the  VMware Carbon Black Cloud, a cloud-native endpoint protection platform (EPP) that combines the intelligent system hardening and behavioral prevention needed to keep emerging threats at bay, using a single lightweight agent and an easy-to-use console.

To successfully complete this tutorial, you must deploy Carbon Black Cloud Sensor on a Windows 10 or macOS device. This protects the endpoints against threats, making the related threat events available in the cloud, and leveraging behavioral analytics to identify and stop emerging threats before they can affect your business. Based in the cloud, Carbon Black analyzes more than 1 trillion security events per day and proactively determines attackers’ behavior patterns.

To protect your Windows 10 and macOS endpoints, see the Deploying Carbon Black Cloud Sensor Tutorial for step-by-step guidance on how to deploy Carbon Black Cloud Sensor.

Simulating Threat Events and Validating the Integration

Introduction

You can easily validate the integration between VMware Carbon Black Cloud and Workspace ONE Intelligence by simulating suspicious activities on the endpoint. The activities are identified and remediated by the Carbon Black Cloud Sensor, which reports back to VMware Carbon Black Cloud and makes them available as alerts in batches every 30 seconds.

In this section, you learn how to generate suspicious activities on the endpoint to generate alerts in VMware Carbon Black Cloud, and to get them as insights into Workspace ONE Intelligence.

Simulating Suspicious Activities on the Endpoint

In this section, you learn how to generate suspicious activities on the endpoint to create alerts, and identify corresponding alerts in VMware Carbon Black and Workspace ONE Intelligence.

Open Browser on Windows 10 Device

Windows 10 E 1803 Jan-2019 - Intelligence Bootcam

On the Windows 10 device where the Carbon Black Cloud Sensor is installed, open an Internet browser and access the following URL https://www.eicar.org/?page_id=3950. Download the Anti Malware Test File eicar.com located on that page.

The download might be blocked by Carbon Black Sensor. If the download is not blocked, access the downloaded file. An alert will be generated by VMware Carbon Black Cloud and later syncs with Workspace ONE Intelligence.

Identifying Alerts in the VMware Carbon Black Cloud Console

The generated threats are first available in Carbon Black Cloud and can be viewed through the Carbon Black Console.

Alerts indicate known threats and suspicious behavior across endpoints.

Alerts
Alerts

In the VMware Carbon Black Cloud console, click Alerts. You should see multiple alerts generated by the activity on the endpoint classified as Severity 6, the first and last seen time for each event, and so on.

Identifying Alerts in the Workspace ONE Intelligence Console

As a result of the Workspace ONE Intelligence integration with Carbon Black, the threat data is synchronized and available as insights using the dashboard on Workspace ONE Intelligence.

Identify alerts from Carbon Black in Workspace ONE Intelligence
Workspace ONE Intelligence
  1. For a list of all available alerts in the Workspace ONE Intelligence Console, go to the Threat Summary dashboard under Dashboards / Security Risk, and click View
  2. You can order the result by clicking the Event Time column. 
  3. You should see at least two events. Compare the Event Time occurrence for both alerts. In Workspace ONE Intelligence, check the Event Time column, and in the VMware Carbon Black Console, check the First Seen column.

Note: An alert event will be generated by Carbon Black as threats are identified. However, as Carbon Black Cloud Sensor identifies new events for the same thread, threats update alerts might be generated and sent to Intelligence, resulting in multiple threats records. If you have automation set up based on threats, that will be triggered only for the initial detected threat.

The original alert will be tagged with a Threat Status of Detected and updates with Threat Status of Updated. If you have custom widgets in Workspace ONE Intelligence, consider adding the filter Threat Status <Equals> Detected.

Carbon Black Dashboards in Workspace ONE Intelligence

Introduction

In this section, you review how to create custom dashboards for Carbon Black threats in Workspace ONE Intelligence.

Reviewing Custom Dashboards for Threats

In addition to the out-of-the-box dashboard, you can also take advantage of the custom dashboard and create customized visualizations and personalized widgets.

Workspace ONE Intelligence includes a set of template widgets for VMware Carbon Black threats to help you to easily create a dashboard.

Extending Threat Remediation and Device Quarantine with Automation

Introduction

In this section, you will learn how to use automated workflows to quarantine devices. This enables you to take actions to protect against incoming threats that VMware Carbon Black reports.

Using Carbon Black Custom Connector to Quarantine Device through Automated Workflow

The integration of VMware Carbon Black Cloud and Workspace ONE Intelligence enables automation based on threats. You can take actions against the device or third-party tools, based on the incoming threats reported by VMware Carbon Black Cloud.

Workspace ONE Intelligence

For example, you can quarantine devices through VMware Carbon Black when high threats are detected on Windows devices. The quarantine action is based on Automation Custom Connector, which allows you to extend the automation capabilities against other systems and tools through REST API.

In addition to quarantine, you can also take the following actions:

  • Tag the device as At Risk in Workspace ONE UEM, making the UEM administrator aware of devices vulnerable
  • Notify the end-user via e-mail
  • Notify the security team via Slack about the attack and share all the relevant information
  • Create an incident ticket in ServiceNow for tracking and auditing purposes

Set Up VMware Carbon Black Custom Connector

To set up the VMware Carbon Black Custom Connector in Workspace ONE Intelligence to enable quarantine device action, download the VMware Carbon Black Cloud Sample Collection from GitHub and follow the instructions.

Summary and Additional Resources

Conclusion

This operational tutorial provided steps on how to configure the integration between Workspace ONE Intelligence and VMware Carbon Black to obtain threat insights and extend threat remediation with the Workspace ONE Intelligence Automation engine.

Procedures included:

  • Configuring prerequisites
  • Integrating Workspace ONE Intelligence and VMware Carbon Black
  • Preparing Carbon Black sensors on endpoints
  • Simulating threat events to validate integration
  • Exploring dashboards
  • Extending threat remediation via automation

Additional Resources

For more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. This activity path includes curated assets in the form of articles, videos, and labs from beginning to advanced, to help you level up your Workspace ONE knowledge.

You can also check out the VMware Workspace ONE and VMware Horizon Reference Architecture which provides a framework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and a variety of integrations.

Change Log

The following updates were made to this guide:

Date Change
2022/01/05
  • Updated integration steps based on new Carbon Black Data Forward integration
  • Updated content and screenshots throughout
2021/11/17
  • Moved Carbon Black Cloud Sensor deployment steps to a separated tutorial
2021/01/28
  • Updated Carbon Black Cloud Console and Workspace ONE Intelligence screenshots
2020/03/02
  • First release

About the Author

This tutorial was written by:

  • Andreano Lanusse, End-User-Computing Staff Architect, Technical Marketing, VMware.

Feedback

The purpose of this tutorial is to assist you. Your feedback is valuable. To comment on this tutorial, contact VMware End-User Computing Technical Marketing at euc_tech_content_feedback@vmware.com.

Associated Content

From the action bar MORE button.

Filter Tags

Workspace ONE Carbon Black Cloud Workspace ONE UEM Document Operational Tutorial Intermediate Manage