VMware Carbon Black Cloud User Guide Modified on 17 September 2021 VMware Carbon Black Cloud VMware Carbon Black Cloud User Guide You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com © Copyright 2011-2021 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 2 Contents Preface 9 Related Documentation 9 Copyrights and notices 10 Contacting VMware Carbon Black Support 13 1 Dashboard 14 Widget Definitions List 14 Customizing the Dashboard 16 Export Data 17 2 Alerts 18 View Alert Details 18 Alert Types 19 Alert and Report Severity 20 Alert ID, Event ID, and Threat ID 21 Group Alerts 21 Dismissing Alerts 22 Search Basics 23 Alert Triage 24 Investigating Alerts 24 True and False Positives 25 Take Action on Alerts 26 Visualizing Alerts 26 Alert Origin, Behaviors, and TTPs 27 3 Investigate 29 Investigate - Processes 30 Process Analysis 31 Investigate - Enriched Events 33 Investigating Script-Based Attacks 35 Add Query to Threat Report 37 4 Live Query 39 Run a Live Query 39 View Query Results 40 5 Enforce 42 Managing Watchlists 42 VMware, Inc. 3 VMware Carbon Black Cloud User Guide Subscribe to a Curated Watchlist 42 Watchlist Alert Options 43 Build Custom Watchlists 43 Tuning Your Watchlists 44 Tune Your Watchlist at the Report Level 44 Tune Your Report at the IOC Level 44 Managing Policies 44 Predefined Policies 45 Creating Policies 45 Set a Ransomware Policy Rule 46 General Policy Settings 47 Local Scan Settings 49 Configuring Automatic Updates for Local Scan (Endpoint Standard) 49 Configure Automatic Updates for Local Scan (Endpoint Standard) 50 Create Prevention Policy Rules 51 Prevention Rules Capabilities for Linux Sensors 55 Background Scans 55 Run Background Scan 56 Monitoring Background Scan Status 57 MacOS Background Scan File Types 60 Windows Background Scan File Types 62 Enable Windows Security Center Integration 65 Kubernetes Policies 66 Managing Kubernetes Hardening Policies 66 Create Kubernetes Hardening Policies 66 Edit Kubernetes Hardening Policies 71 Managing Kubernetes Rules 71 Add Custom Rules 71 Edit or Delete Custom Rules 73 Custom Rules for Kubernetes Hardening Policies 74 Predefined Rules 80 Managing Kubernetes Templates 83 Add Kubernetes Templates 83 Manage Reputations 84 Adding to the Banned List 84 Add Hash to Banned List 85 Configure an Automatic Banned List 85 Adding to the Approved List 86 Add Trusted IT Tools to Approved List 87 Add Certs to Approved List 88 Expiration of Approved Certs 88 VMware, Inc. 4 VMware Carbon Black Cloud User Guide Add Hash to Approved List 89 Upload Reputations 90 Reputation Reference 91 Malware Removal 92 Cloud Analysis 93 Recommendations 94 Accept Recommendation 95 Reject Recommendation 95 Accept Rejected Recommendation 95 6 Harden 97 Managing Vulnerabilities 97 Assessing Vulnerabilities for VMs and Endpoints 97 VM Workloads Vulnerabilities 98 Endpoints Vulnerabilities 99 Risk Evaluation 100 Export Vulnerability Data 101 Resolve Vulnerabilities 101 Container Image Vulnerability 102 Evaluating Risk for Container Images 102 Kubernetes Search 103 Kubernetes Health 103 Risk Severity 104 Monitor Kubernetes Clusters Health Overview 105 Review Risks for Kubernetes Scopes 106 Kubernetes Violations 106 7 Inventory 107 Endpoints 107 Search for Sensors 108 Managing Sensors by using RepCLI 108 Manage Windows Sensors by using RepCLI 108 Manage macOS Sensors by using RepCLI 111 Sensor Status and Details 112 Manually Assign a Policy to Sensors 113 View and Update Signature Versions 113 Use Live Response 114 Live Response Commands 115 Initiate Sensor Updates 117 View Progress of Sensor Updates 117 Enable and Disable Endpoint Background Scans 119 VMware, Inc. 5 VMware Carbon Black Cloud User Guide USB Devices 120 USB Devices Approval 120 Approve USB Devices 121 Add Approval 121 Add Devices for Approval 122 Block USB Devices 122 Monitor USB Devices Access 122 Securing VM Workloads 123 VM Workloads Filters 123 Monitor VM Workloads 125 Take Action on a VM Workload 125 Assign Policy to a Sensor Group 126 Sensor Groups 127 Add a Sensor Group 128 Modify Sensor Group Priority 129 Image Repositories 130 Color Indicators for Image Vulnerabilities 132 Evaluating Risk for Container Images 133 Kubernetes Workloads 133 Kubernetes Clusters 133 CLI Client Configuration 134 Managing CLI Client Instances 135 Kubernetes Scopes 137 Managing Kubernetes Scopes 139 Add or Edit Scope 139 Kubernetes Images 140 Monitoring Vulnerabilities for Kubernetes Images 141 Identify Available Fixes to Apply 142 Enable Exceptions on Image 143 Image Scan Report 144 Image Details Panel 145 8 Settings 147 General Settings 147 Define On-Premise Devices 147 Set Registry Key for Windows Update 148 Managing Users 148 Add or Edit Users 148 Delete Users 149 Enabling Two-Factor Authentication 149 Enable Duo Security 149 VMware, Inc. 6 VMware Carbon Black Cloud User Guide Enable Google Authenticator 150 Enabling SAML Integration 151 Enable SAML Integration with Ping Identity 151 Enable SAML Integration with OneLogin 152 Enable SAML Integration with Okta 153 Managing Roles 153 About User Roles 153 Predefined User Roles 154 Legacy User Roles 155 Permissions Matrix 155 Roles Permission Descriptions 160 Add or Edit Custom Roles 163 Delete Custom Roles 164 Export Roles 164 Subscribe to Notifications 164 Setting up an API Access 165 Create and Manage an API Key 166 Delete API Key with Attached Notification Rule 167 Setting Access Levels 167 Create Access Level 167 Apply Access Level to API Key 168 Download Pre-built API Keys 169 Data Forwarders 170 Create an S3 Bucket in the AWS Console 170 Configure the Bucket Policy to Allow Access 172 Add a New Data Forwarder 174 Edit a Data Forwarder 175 Delete a Data Forwarder 176 Change the Data Forwarder Status 176 Test a New Data Forwarder 176 Using the Inbox 176 Download Requested Files 177 Manual Upload File Restrictions 178 Audit Logs 179 Modify the Level of Granularity of Log Entries 179 Expand the Log Scope 179 Limit the Log Scope to Keywords 180 Modify the Audit Table Configuration 180 Export Audit Logs 180 9 Multi-tenancy 182 VMware, Inc. 7 VMware Carbon Black Cloud User Guide Managing Users in a Multi-tenancy Environment 182 Add Users in a Multi-tenancy Environment 182 Modify Users in a Multi-tenancy Environment 183 Delete Users in a Multi-tenancy Environment 184 Multi-tenancy Role Assignments 184 Switch Organizations 185 10 TTPs and MITRE Techniques 187 TTP Reference 188 MITRE Techniques Reference 203 11 Integrations 214 Workspace ONE 214 Set Up Your Appliance 214 Create a Custom Access Level for Your Appliance 215 Generate an API Key for Your Appliance 216 Connect Carbon Black Cloud Workload Appliance with Carbon Black Cloud 217 Delete Appliance API Key 218 Splunk 218 VMware, Inc. 8 Preface The VMware Carbon Black Cloud User Guide provides configuration and user information for the VMware Carbon Black Cloud™. Instructions are provided for Carbon Black Cloud, including all variations based on specific purchased options. Therefore, you may read instructions for functionality that does not display on your version of the product if you did not purchase the specific option for that feature. Please contact software support or your VMware Carbon Black sales representative. Intended Audience This documentation provides information for administrators, incident responders, and others who will operate the Carbon Black Cloud. Staff who manage Carbon Black Cloud activities should be familiar with the Microsoft Windows operating system, web applications, desktop infrastructure (especially in-house procedures for software roll-outs, patch management, and anti-virus software maintenance), and the effects of unwanted software. Carbon Black Cloud administrators should also be familiar with the operating systems of clients managed by the Carbon Black Cloud, as well as the software installed on them. Related Documentation In addition to this document, the following documentation may be required to accomplish tasks not covered in this user guide. Some of these documents are updated with every new released build while others are updated only for minor or major version changes: n VMware Carbon Black Cloud Release Notes n VMware Carbon Black Cloud User Guide n VMware Carbon Black Cloud Sensor Installation Guide n VMware Carbon Black Cloud Endpoint Standard Operating Environment Requirements n VMware Carbon Black Cloud Sensor Support Located on the User Exchange: https://community.carbonblack.com/t5/Documentation- Downloads/Carbon-Black-Cloud-Sensor-Support/ta-p/66274 n Endpoint Standard Getting Started Guide VMware, Inc. 9 VMware Carbon Black Cloud User Guide Located on the User Exchange: https://community.carbonblack.com/t5/Documentation- Downloads/Endpoint-Standard-Getting-Started-Guide/ta-p/46785 Copyrights and notices © Copyright 2011-2021 VMware, Inc. All rights reserved. Carbon Black is a registered trademark and/or trademark of VMware, Inc. in the United States and other countries. All other trademarks and product names be the trademarks of their respective owners. This document is for use by authorized licensees of Carbon Black's products. It contains the confidential and proprietary information of Carbon Black, Inc. and may be used by authorized licensees solely in accordance with the license agreement and/or non-disclosure agreement governing its use. This document may not be reproduced, retransmitted, or redistributed, in whole or in part, without the