Integration Guide
VMware Carbon Black EDR Integration Guide
Active Directory
Active Directory Authentication
Map AD Permissions
Carbon Black App Control
Built-in Compatibility Features
Features when Servers are Integrated
Activating Integration
Create a Carbon Black EDR User for Integration
Configure and Activate the Integration
Viewing Integration Settings in Carbon Black EDR
Regenerate the Authorization ID for Server Communications
Carbon Black App Control Console
View Sensor Information
View File and Process Information
View Event Information
Links to the Carbon Black EDR Console
Correlation of Exported Data
Anti-Malware Scanning Interface
Using AMSI with Carbon Black EDR
Event Forwarder Settings
Enable AMSI Events for a Sensor Group
Microsoft Enhanced Mitigation Experience Toolkit
EMET Events
Process Search and Analysis for EMET Events
EMET Configuration Searches
EMET Events and Threat Reports
Enabling and Disabling the EMET Protection Feed
EMET Status on an Endpoint
Disable Sensor EMET Event Reporting
SSO Identity Providers
Supported SAML 2.0 Specifications
Supported SSO Identity Providers
SAML 2.0 Single Sign-On Setup
Attribute Mapping
Example Attribute Mapping Script
Integrate OKTA IdP
Integrate Shibboleth IdP
Integrate ADFS IdP
Troubleshoot SSO Integration
Third-Party Authentication
Set up Duo Administrator Unix Application Account
Configure Duo Plugin
Map Carbon Black EDR Users to Duo Users
secrets.ini Settings File
Enable Two-Factor Authentication
Syslog
Syslog Format
Watchlist Hit on Process
Watchlist Hit on Binary
Feed Hit on Process Ingress
Feed Hit on Process Storage
Feed Hit on Binary Ingress
Feed Hit on Binary Storage
Feed Hit on Host Ingress
Feed Hit on Process Query
Feed Hit on Binary Query
Syslog Integration
Set up Remote Devices
Set up Server Data Transmission
Send all Data to a Remote Device
Send Watchlist Data to a Remote Device
Enable Communication Persistence (Spooling)
Carbon Black EDR Syslog Architecture
Syslog Templates
Build Custom-formatted Syslog Notifications
Overriding System Default Templates
Available Keys by Event Type
binaryinfo.observed
binaryinfo.group.observed
binaryinfo.host.observed
feed.ingress.hit.binary
feed.storage.hit.binary
feed.ingress.hit.process
feed.query.hit.process
feed.storage.hit.process
watchlist.hit.process
watchlist.hit.binary
Syslog Common Event Format
VDI Support
Configuring the Server for VDI Support
Enable VDI Support
Deploying a VDI Support Plug-in
Configure VDI Settings in the Console
Specifying the Scope of VDI Support
Global VDI Support
Setting up Global VDI Support on Windows
Setting up Global VDI Support on macOS
Setting up Global VDI Support on Linux
Set up Sensor Group VDI Support
Document History