Integrating Workspace ONE Intelligence and VMware Carbon Black: Workspace ONE Operational Tutorial
VMware provides this operational tutorial to help you with your VMware Workspace ONE® environment. VMware Workspace ONE® Intelligence™ is designed to simplify user experience without compromising security. The intelligence service aggregates and correlates data from multiple sources to give you complete visibility into your entire environment. This includes automated workflow processes leveraging the Automation engine to take actions against the devices managed by Workspace ONE UEM and integrated actions with third-party tools.
The VMware Carbon Black Cloud™ is a cloud-native endpoint protection platform (EPP) that combines the intelligent system hardening and behavioral prevention needed to keep emerging threats at bay, using a single lightweight agent and an easy-to-use console.
In today’s environment, merely blocking known malware is obsolete. Cybercriminals continually learn how to obscure their actions amid the ever-growing activity within your organization. Polymorphic ransomware and file-less attacks are growing in prevalence, so legacy approaches to prevention leave you vulnerable.
In this tutorial, you will learn how to configure the integration between Workspace ONE Intelligence and VMware Carbon Black to obtain threat insights and extend threat remediation with Custom Connector and the Workspace ONE Intelligence Automation engine.
Watch the Workspace ONE Intelligence and VMware Carbon Black: Automating Device Quarantine -Technical Overview video to view the steps you will go through in this tutorial.
This operational tutorial is intended for IT security professionals and Workspace ONE administrators of existing production environments. Familiarity with Workspace ONE Intelligence, Workspace ONE UEM, VMware Carbon Black Cloud, and knowledge of endpoint security and networking is assumed. Knowledge of additional tools and technologies such as Postman and REST API and are also helpful.
Before you perform the procedures in this guide, verify that you have access to the following components:
- Workspace ONE UEM with permission to manage devices and applications, and Workspace ONE Intelligence enabled
- Workspace ONE Intelligence with admin account credentials and the Administrator role assigned
- VMware Carbon Black Cloud management console and admin account credentials with permission to configure API Keys
- A Windows 10 device to test the integration
How the Integration Works
When Workspace ONE Intelligence is integrated with VMware Carbon Black Cloud, you can set up automatic actions to mitigate threats to your managed devices. This chapter describes how this integration works in the example of a device quarantine.
Workflow Integration Applied to a Device Quarantine Use Case
Workspace ONE Intelligence provides an automation engine that enables IT administrators to take actions on managed devices based on multiple sources of data. When integrated with VMware Carbon Black Cloud, Workspace ONE Intelligence receives alerts and enables automated workflows based on incoming threats, to allow you to take automated actions on the device.
For example, malware can be identified by the Carbon Black Sensor on the device as a high threat severity, which generates alerts in Carbon Black Cloud. The integration enables Workspace ONE Intelligence to receive those alerts and take action on the device based on automated workflows, such as to quarantine the device blocking network communication with other devices in the organization.
Carbon Black Cloud uses the Data Forward API to obtain the alerts and make them available in Workspace ONE Intelligence. A set of Carbon Black API Keys is required to enable the integration in Workspace ONE Intelligence. The Data Forward API enables access to different types of events. For this integration, however, only alerts (event type = CB_ANALYTICS) are pulled out by Workspace ONE Intelligence.
The Data Forward API accumulates data in batches before making it available in Workspace ONE Intelligence. Alerts are batched every 30 seconds.
A single threat can generate multiple alerts which are sent to Workspace ONE Intelligence. Automation based on Carbon Black threats that match the income condition will trigger the configured actions based on the first event only. Incoming updates for the same alert won't trigger the automation for the next 30 minutes. This avoids multiple executions of the same automation for the same alert within a short period of time.
At the end of this tutorial, you will be able to reproduce this entire workflow on your environment.
Understanding Threat Status (Detected vs Allowed)
A single threat can generate multiple events that are sent to Workspace ONE Intelligence. However, the original alert is tagged as "Detected" and subsequent events that occur within 30 minutes for the same alert are tagged as Threat Status "Allowed".
By default, automation based on Carbon Black threats is triggered only for the "Detected" threats. Incoming updates for the same threat do not trigger the automation for the next 30 minutes. This avoids multiple executions of the same automation for the same alert within a short period of time. Also, when using custom widgets, consider adding the condition Threat Status <equal> "Detected".
Configuring VMware Carbon Black Cloud Prerequisites
In this chapter, you will learn how to create the API Key required to integrate Workspace ONE Intelligence and Carbon Black.
Logging in to the VMware Carbon Black Cloud Console
To perform most of the steps in this exercise, you must first log in to the VMware Carbon Black Cloud Console.
1. Launch Chrome Browser
On your desktop, double-click the Google Chrome icon.
3. Authenticate to the VMware Carbon Black Cloud Console
- Enter your email address; for example,
- Enter your password.
- Click Sign In.
Creating Custom Access Level and API Key
The VMware Carbon Black Open API platform enables you to integrate with a variety of security products, including SIEMs (security information and event management), ticket tracking systems, and your own custom scripts.
To integrate with Workspace ONE Intelligence, only a single set of API Keys with Custom Level access is required. When enabled, this allows Workspace ONE Intelligence to start pulling events from Carbon Black.
1. Create Custom Access Level
1.1. Configure Custom Access Level
- Name the Access Level as
Event forward access level.
- Add a description.
- Search for the Event Forwarding category, and select the permissions Create, Read, Update, and Delete.
- Click Save.
2. Add API Key with Custom Access Level
- Click API Keys.
- Click + Add API Key.
2.1. Configure API Key
- For API Key Name, enter
- For Access Level, select Custom.
- Select the Custom Access Level previously created; for example,
Event forward access level.
- Click Save.
2.2. Save API Key information
A dialog box appears with the API ID and API Secret Key generated.
- Save the API ID and API Secret Key in a file and name it
Carbon Black API Key. The keys will be used later in Workspace ONE Intelligence.
- Click X to close the dialog box.
The SIEM API Key is listed as part of the API KEYS List.
Integrating Workspace ONE Intelligence and VMware Carbon Black Cloud
Workspace ONE Intelligence receives alert type events from VMware Carbon Black based on threats detected on the endpoint. This allows the administrator to get insights through dashboards on threats reported, and also allows the administrator to leverage Intelligence automation to take action against the device and expand the threat remediation.
In this activity, you configure the VMware Carbon Black Cloud integration with Workspace ONE Intelligence, enabling access to Carbon Black's threat data into Workspace ONE Intelligence.
Configuring VMware Carbon Black Cloud Integration in Workspace ONE Intelligence
Launch the Workspace ONE Intelligence console to perform the integration with VMware Carbon Black Cloud. This integration is available as part of the Trust Network integration in Workspace ONE Intelligence.
1. Launch Workspace ONE Intelligence Console
From the Workspace ONE UEM Console:
- Click the Square menu icon.
- Select Workspace ONE Intelligence.
2. Set Up Carbon Black Integration
- Under Settings, click Integrations.
- Click Trust Network.
- Click Set Up on the Carbon Black card.
3. Configure the Carbon Black Integration
- Enter the Base URL, which is the API URL for your respective VMware Carbon Black environment.
To obtain the correct API URL, see PSC: What URLs are used to access the APIs? in the VMware Carbon Black Community.
IMPORTANT: You must configured the Carbon Black Base URL based on the supported mapping with Workspace ONE Intelligence as described here.
- For the API ID, enter the API Key with API Access Level Key. This is the key that has API Access Level.
- For the API Key, enter the API Secret Key related to the API Key with API Access Level.
- Enter the Org Key.
- Click Authorize.
Note: Workspace ONE Intelligence uses only the SIEM Keys; the API Keys requested now are reserved for future use.
4. Confirm that the Integration is Successful
Authorized Status displays on the Carbon Black card. This confirms that Workspace ONE Intelligence can communicate with the respective VMware Carbon Black Cloud environment.
From this point, Workspace ONE Intelligence will query Carbon Black Notifications using REST API to obtain threat alerts generated on the devices.
Note: If multiple communication attempts from Workspace ONE Intelligence to Carbon Black fail, the connection is automatically deauthorized by Workspace ONE Intelligence, and the administrator must access the console to reauthorize.
5. Confirm Data Forward is Successfully Configured
- A data forward configuration (Alert Type) will be created in Carbon Black Cloud as a result of the configuration in Workspace ONE Intelligence. This establishes a trust between Carbon Black and Workspace ONE Intelligence, allowing Carbon Black Cloud to push the data alerts into Workspace ONE Intelligence S3 buckets. If you turn off the data forward, alerts will stop being sent to Workspace ONE Intelligence.
Note: When these forwarders are created, ONLY alert forwarder will be enabled by default, and endpoint forwarder will be disabled. This status must be maintained. DO NOT ENABLE “endpoint event data forwarder shouldn’t be enabled” at this point.
Deploying Carbon Black Cloud Sensor on Endpoint
This section describes how to deploy Carbon Black Cloud Sensor on a Windows 10 or macOS device. This is required to protect the endpoints against threats and to take advantage of the analytical capabilities of Carbon Black.
How to Deploy Carbon Black Cloud Sensor on Windows 10 and macOS
Carbon Black Cloud Sensor is a lightweight agent that protects the endpoint against threats and is part of the VMware Carbon Black Cloud, a cloud-native endpoint protection platform (EPP) that combines the intelligent system hardening and behavioral prevention needed to keep emerging threats at bay, using a single lightweight agent and an easy-to-use console.
To successfully complete this tutorial, you must deploy Carbon Black Cloud Sensor on a Windows 10 or macOS device. This protects the endpoints against threats, making the related threat events available in the cloud, and leveraging behavioral analytics to identify and stop emerging threats before they can affect your business. Based in the cloud, Carbon Black analyzes more than 1 trillion security events per day and proactively determines attackers’ behavior patterns.
To protect your Windows 10 and macOS endpoints, see the Deploying Carbon Black Cloud Sensor Tutorial for step-by-step guidance on how to deploy Carbon Black Cloud Sensor.
Simulating Threat Events and Validating the Integration
You can easily validate the integration between VMware Carbon Black Cloud and Workspace ONE Intelligence by simulating suspicious activities on the endpoint. The activities are identified and remediated by the Carbon Black Cloud Sensor, which reports back to VMware Carbon Black Cloud and makes them available as alerts in batches every 30 seconds.
In this section, you learn how to generate suspicious activities on the endpoint to generate alerts in VMware Carbon Black Cloud, and to get them as insights into Workspace ONE Intelligence.
Simulating Suspicious Activities on the Endpoint
In this section, you learn how to generate suspicious activities on the endpoint to create alerts, and identify corresponding alerts in VMware Carbon Black and Workspace ONE Intelligence.
Open Browser on Windows 10 Device
On the Windows 10 device where the Carbon Black Cloud Sensor is installed, open an Internet browser and access the following URL https://www.eicar.org/?page_id=3950. Download the Anti Malware Test File
eicar.com located on that page.
The download might be blocked by Carbon Black Sensor. If the download is not blocked, access the downloaded file. An alert will be generated by VMware Carbon Black Cloud and later syncs with Workspace ONE Intelligence.
Identifying Alerts in the VMware Carbon Black Cloud Console
The generated threats are first available in Carbon Black Cloud and can be viewed through the Carbon Black Console.
Alerts indicate known threats and suspicious behavior across endpoints.
In the VMware Carbon Black Cloud console, click Alerts. You should see multiple alerts generated by the activity on the endpoint classified as Severity 6, the first and last seen time for each event, and so on.
Identifying Alerts in the Workspace ONE Intelligence Console
As a result of the Workspace ONE Intelligence integration with Carbon Black, the threat data is synchronized and available as insights using the dashboard on Workspace ONE Intelligence.
- For a list of all available alerts in the Workspace ONE Intelligence Console, go to the Threat Summary dashboard under Dashboards / Security Risk, and click View.
- You can order the result by clicking the Event Time column.
- You should see at least two events. Compare the Event Time occurrence for both alerts. In Workspace ONE Intelligence, check the Event Time column, and in the VMware Carbon Black Console, check the First Seen column.
Note: An alert event will be generated by Carbon Black as threats are identified. However, as Carbon Black Cloud Sensor identifies new events for the same thread, threats update alerts might be generated and sent to Intelligence, resulting in multiple threats records. If you have automation set up based on threats, that will be triggered only for the initial detected threat.
The original alert will be tagged with a Threat Status of Detected and updates with Threat Status of Updated. If you have custom widgets in Workspace ONE Intelligence, consider adding the filter Threat Status <Equals> Detected.
Carbon Black Dashboards in Workspace ONE Intelligence
In this section, you review how to create custom dashboards for Carbon Black threats in Workspace ONE Intelligence.
Reviewing Custom Dashboards for Threats
In addition to the out-of-the-box dashboard, you can also take advantage of the custom dashboard and create customized visualizations and personalized widgets.
Workspace ONE Intelligence includes a set of template widgets for VMware Carbon Black threats to help you to easily create a dashboard.
Create Custom Dashboards for Threats
To learn how to create Custom Dashboards, see Using Dashboards to Visualize Data in the Getting Started with Workspace ONE Intelligence Reports and Dashboards: VMware Workspace ONE Operational Tutorial.
Extending Threat Remediation and Device Quarantine with Automation
In this section, you will learn how to use automated workflows to quarantine devices. This enables you to take actions to protect against incoming threats that VMware Carbon Black reports.
Using Carbon Black Custom Connector to Quarantine Device through Automated Workflow
The integration of VMware Carbon Black Cloud and Workspace ONE Intelligence enables automation based on threats. You can take actions against the device or third-party tools, based on the incoming threats reported by VMware Carbon Black Cloud.
For example, you can quarantine devices through VMware Carbon Black when high threats are detected on Windows devices. The quarantine action is based on Automation Custom Connector, which allows you to extend the automation capabilities against other systems and tools through REST API.
In addition to quarantine, you can also take the following actions:
- Tag the device as At Risk in Workspace ONE UEM, making the UEM administrator aware of devices vulnerable
- Notify the end-user via e-mail
- Notify the security team via Slack about the attack and share all the relevant information
- Create an incident ticket in ServiceNow for tracking and auditing purposes
Set Up VMware Carbon Black Custom Connector
To set up the VMware Carbon Black Custom Connector in Workspace ONE Intelligence to enable quarantine device action, download the VMware Carbon Black Cloud Sample Collection from GitHub and follow the instructions.
Summary and Additional Resources
This operational tutorial provided steps on how to configure the integration between Workspace ONE Intelligence and VMware Carbon Black to obtain threat insights and extend threat remediation with the Workspace ONE Intelligence Automation engine.
- Configuring prerequisites
- Integrating Workspace ONE Intelligence and VMware Carbon Black
- Preparing Carbon Black sensors on endpoints
- Simulating threat events to validate integration
- Exploring dashboards
- Extending threat remediation via automation
For more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. This activity path includes curated assets in the form of articles, videos, and labs from beginning to advanced, to help you level up your Workspace ONE knowledge.
You can also check out the VMware Workspace ONE and VMware Horizon Reference Architecture which provides a framework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and a variety of integrations.
In addition, you can get more information from the following assets:
- VMware Workspace ONE® Intelligence™
- VMware Carbon Black Cloud™
- Video: Workspace ONE Intelligence and VMware Carbon Black: Automating Device Quarantine -Technical Overview
- PSC: What URLs are used to access the APIs?
- Carbon Black Notifications using REST API
- Deploying Carbon Black Cloud Sensor Tutorial
- Getting Started with Workspace ONE Intelligence Reports and Dashboards: VMware Workspace ONE Operational Tutorial
- VMware Carbon Black Cloud Sample Collection
The following updates were made to this guide:
About the Author
This tutorial was written by:
- Andreano Lanusse, End-User-Computing Staff Architect, Technical Marketing, VMware.
The purpose of this tutorial is to assist you. Your feedback is valuable. To comment on this tutorial, contact VMware End-User Computing Technical Marketing at email@example.com.