VMware Carbon Black EDR Integration Guide
Preface
Before You Begin
What This Document Covers
Other Documentation
Contacting Technical Support
Reporting Problems
App Control
Overview
Built-in Compatibility Features
Features when Servers are Integrated
Activating Integration
Creating a Carbon Black EDR User for Integration
Configuring and Activating the Integration
Viewing Integration Settings in Carbon Black EDR
Regenerating the Authorization ID for Server Communication
App Control Console
Sensor Information
File and Process Information
Event Information
Links to the Carbon Black EDR Console
Correlation of Exported Data
Anti-Malware Scanning Interface
Overview of AMSI
AMSI Data
Using AMSI with Carbon Black EDR (beta)
Event Forwarder Settings
Sensor Group Settings
EMET
Overview
EMET Events
Process Search and Analysis for EMET Events
EMET Configuration Searches
EMET Events and Threat Reports
Enabling and Disabling the EMET Protection Feed
EMET Status on an Endpoint
Disabling Sensor EMET Event Reporting
SSO Identity Providers
Overview
Supported SAML 2.0 Specifications
Supported SSO Identity Providers
SAML 2.0 Single Sign-On Setup
Attribute Mapping
Example Attribute Mapping Script
Integrate OKTA IdP
Shibboleth IdP
ADFS IdP
Troubleshoot SSO Integration
Third-Party Authentication
Overview
Set Up Duo Administrator Unix Application Account
Configure Duo Plugin
Map Carbon Black EDR Users to Duo Users
secrets.ini Settings File
Enable Two-Factor Authentication
Syslog
Overview of Logging
Notification Logs
Audit Logs
Syslog Format
Watchlist Hit on Process
Watchlist Hit on Binary
Feed Hit on Process Ingress
Feed Hit on Process Storage
Feed Hit on Binary Ingress
Feed Hit on Binary Storage
Feed Hit on Host Ingress
Feed Hit on Process Query
Feed Hit on Binary Query
Syslog Integration
Setting Up Remote Devices
Setting Up Server Data Transmission
Sending All Data to a Remote Device
Sending Watchlist Data to a Remote Device
Enabling Communication Persistence (Spooling)
Carbon Black EDR Syslog Architecture
Watchlist Log Location
Syslog Templates
Overriding System Default Templates
Available Keys by Event Type
binaryinfo.observed
binaryinfo.group.observed
binaryinfo.host.observed
feed.ingress.hit.binary
feed.storage.hit.binary
feed.ingress.hit.process
feed.query.hit.process
feed.storage.hit.process
watchlist.hit.process
watchlist.hit.binary
Syslog Common Event Format
Applying the Default CEF Templates
Extension Dictionary
VDI Support
Overview
Configuring the Server for VDI Support
Enabling VDI Support
Deploying a VDI Support Plug-in
Specifying the Scope of VDI Support
Global VDI Support
Setting up Global VDI Support on Windows
Setting up Global VDI Support on macOS
Setting up Global VDI Support on Linux
Sensor Group VDI Support