VMware Carbon Black EDR (Carbon Black CB Response)
  • 12 Feb 2024
  • 3 Minutes to read
  • Dark
    Light
  • PDF

VMware Carbon Black EDR (Carbon Black CB Response)

  • Dark
    Light
  • PDF

Article Summary

VMware Carbon Black EDR (formerly Carbon Black CB Response) is a threat hunting and incident response solution that delivers continuous visibility in offline, air-gapped, and disconnected environments using threat intel and customizable detections.

Types of Assets Fetched

This adapter fetches the following types of assets:

  • Devices

Parameters

  1. VMware Carbon Black EDR Domain (required) - hostname / IP of the VMware Carbon Black EDR admin local server or the cloud service.

  2. Username and Password (optional, default: empty) - The username and password for an account that has read access to the API.

    • If supplied, Axonius will use the specified user name and password credentials to fetch data from VMware Carbon Black EDR.
    • If no supplied, Axonius will use the specific API Key to fetch data from VMware Carbon Black EDR.
  3. API Token (optional, default: empty) - API Token to be authenticated against the VMware Carbon Black EDR API. For details, see the section below.

    • If supplied, Axonius will use the specific API Key to fetch data from VMware Carbon Black EDR.
    • If not supplied, Axonius will use the specified username and password credentials to fetch data from VMware Carbon Black EDR.
    NOTE

    It is recommended to create and to use an API token as the authentication method, as the user name and password credentials are not supported for all VMware Carbon Black EDR versions.

    You must specify an API Token or Username and Password, but not both. If all of those fields are populated, Axonius will try to authenticate with the supplied Username and Password.

  4. Verify SSL - Select whether to verify the SSL certificate of the server against the CA database inside of Axonius. For more details, see SSL Trust & CA Settings.

  5. HTTPS Proxy (optional) - Connect the adapter to a proxy instead of directly connecting it to the domain.

  6. For details on the common adapter connection parameters and buttons, see Adding a New Adapter Connection.

image.png

Advanced Settings

Note:

From version 4.6 Advanced settings can either apply for all connections for this adapter, or you can set different advanced settings and/or different scheduling for a specific connection, refer to ​Advanced Configuration for Adapters

  1. Fetch uninstalled devices (required, default: True) - Choose whether to fetch uninstalled devices.
    • If enabled, all connections for this adapter will fetch uninstalled devices.
    • If disabled, all connections for this adapter will not fetch uninstalled devices.
  2. Fetch inactive devices in the last X days (optional, default: empty) – Select whether to fetch inactive devices.
    • If supplied, all connections for this adapter will fetch inactive devices that have communicated with the VMware Carbon Black EDR server in that last specified number of days.
    • If not supplied, all connections for this adapter will not fetch inactive devices.
  3. Fetch only the most recent device per computer SID (required, default: False) – Select whether to fetch only the recent device per each SID.
    • If enabled, all connections for this adapter will fetch only the recent device per each SID.
    • If disabled, all connections for this adapter will fetch all devices, even if there is more than one device for a specific SID.
Note

For details on general advanced settings under the Adapter Configuration tab, see Adapter Advanced Settings.

Creating an API Key

To create an API Key, do as follows:

  1. As an admin, connect to the VMware Carbon Black EDR admin panel.
    Click on the user management logo to open the user management tab. Then, click "Teams" and "Create Team":

image.png

  1. Type a name for the new team and drag the relevant group to "Viewer Access". Click "Save Changes":

image.png

  1. Go to "Users" and click "Add User". Fill in the details and assign the user to the team we just created. Optional: If you want to be able to isolate and un-isolate devices from the Axonius control panel, assign the new user to the "Administrators" group:

image.png

  1. Log out of the admin panel and login as the new user. Then, go to "My Profile". Click on API Token to see your API token

image.png


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.