1. On the ControlCenter server
   • Open a new tab in Google Chrome
   • Navigate to your Workspace ONE UEM admin console with the following URL  ( https://cn-livefire.awmdm.com )
     • Enter your custom Username, select Next
     • In the Password area, enter your custom password select Log in
     • If prompted close the Workspace ONE UEM Console Highlights window

2. In the Workspace ONE UEM Console
   • Navigate to GROUPS & SETTINGS
   • Select Groups
   • Select Assignment Groups

3. In the Assignment Groups window
   • Select + ADD SMARTGROUP

4. In the Create New Smart Group window
   • Next to Name enter:  W10Client01a
   • Next to Choose Type, select DEVICES OR USERS
     • When prompted with a warning message, select OK
   • Under Devices:  
     • Select the Device which you have re-named and enrolled in the introduction section
   • Select ADD

5. In the Create New Smart Group window
   • Select SAVE in the bottom right corner.

6. In the Workspace ONE UEM Console
   • Navigate to Apps & Books > Application > Native
   • Select  ADD under the Internal tab
   • Select Application File

7. In the Add Application window
   • Next to Organization Group ID, leave this default
   • Next to Application File, select UPLOAD
     1. Select Choose File and a new window will open,
     2. Navigate to the Download Folder in the left navigation bar and select the msi you downloaded earlier.
     3. Select the installer.....msi and select Open.
     4. Select SAVE on the final Add page this will upload the application.

8. In the Add Application window
   • Select CONTINUE to verify the application file and that it is not a dependency
   • In the Add Application - Carbon Black Cloud Sensor 64-bit window
     • On the Details tab
       • Scroll down to Supported Processor Architecture 
         • Change it from 32 bit to 64-bit
       • Select the Deployment Options tab
         • Scroll down to the Install Command field
         • Paste the install parameter from below into the Install Command Field 
           • Replace the existing install command in that field already. Ensure the version of Sensor is correct
           • If you typing in the COMPANY_CODE, the number 8 is followed by 'O' and not Zero. (Common Mistake)
   • msiexec /q /i "installer_vista_win7_win8-64-3.7.0.1503.msi" /L*vx Log.txt COMPANY_CODE=S17NA79RWX!K8OJLXA3
     • Scroll further down Deployment options tab
       • Next to Device Restart select "User-engaged restart"
     • Select SAVE & ASSIGN

9. On the Carbon Black Cloud Sensor 64-bit- Assignment page,
   • Under Distribution enter next to :
     • Name: Type Carbon Black Sensor for Windows
     • Assignment Groups, select the SMART Group you created earlier, starts with W10Client0a1
     • Deployment Begins, Go back one day (in terms of todays date)
     • App Delivery Method, select Auto radio button
     • Select CREATE at the bottom of the page

10. On the Carbon Black Cloud Sensor 64-bit- Assignment
    • Select PUBLISH

1. On the ControlCenter server,
   • If you aren't already signed into your Workspace ONE UEM console
     • Login to the  cn-livefire.awmdm.com tenant
   • Navigate to Devices > List View
   • Select your device
   • Select the Apps Tab
   • Make sure the VMware Carbon Black Cloud Sensor 64-bit has a green Check box next to it.

2. On the ControlCenter desktop
   • Open a browser and navigate to https://defense-prod05.conferdeploy.net/
   • Sign in with your e-mail address and password assigned to you.

3. In the VMware Carbon Black Cloud console
   • In the left hand navigation, expand Inventory
     • Select Endpoints
     • Identify your Device with the computer name that you set. (i.e. AttendeeXXX)
   • Click on the Check Box next to your device

4. In the Endpoints window
   • Select Take Action drop down and click Change policy

5. In the Change Policy window
   • In the dropdown, select Zero Trust LiveFire
   • Select Change. (NOTE: Ensure you have the selection set to 'Update the 1 selected devices'.

This will change the Endpoint policy to Zero Trust Livefire Policy. Lets look at what exactly this policy is enforcing on our endpoints.

6. In Carbon Black Admin console, in the left navigation panel,
   • Navigate to Enforce > Policies

7. Under NAME for the list of available policies,
   • Select the Zero Trust Livefire Policy.

8. Click on the Prevention tab.

9. Under the Prevention tab
   • Expand Permissions,
   • Notice, the Application(s) at path: C:\Program Files\dfndr.exe is set to Bypass for any operation.

10. Next, observe the Blocking and Isolation Rules,

• Notice it lists all the processes, their operation attempt and the actions this policy will take to prevent an attack.
• In our policy example, we have added NOTEPAD.exe & Powershell.exe as blacklisted applications,
  • Any executed processes will TERMINATE and any existing attempt to run will be BLOCKED

You have successfully completed this section. Please proceed to the next section.

1. Adding an API Key.
   • On the left hand navigation pane. Expand Settings and select API  Access
   • In the top right corner of the Admin Console, select + Add API Key

2. Enter the below information,
   1. Name the API key your unique attendee Identifier. EXAMPLE: Attendee101
   2. Select Custom in the Access Level type
   3. Select Zero Trust for Custom Access Level
   4. Select Save at the bottom of the window.

NOTE: For the integration with Intelligence the API Access Level must include the "Data Forwarder" settings

3. You will now be shown the API Credentials.
   1. Copy both the API ID and the API Secret Key to Notepad.
   2. Close out of the API Credentials windows by clicking X

1. On the ControlCenter
   • Switch to your Workspace ONE UEM console,
     • If necessary navigate to https://cn-livefire.awmdm.com.
     • Sign in using your admin credentials (E-mail used to attend the course)
   • In the top right corner, select the MY SERVICES icon (9 squares)
     • Select Workspace ONE Intelligence

2. In the  Workspace ONE Intelligence Admin console
   • Select the Integrations tab

3. Under Integrations section
   • Scroll down to find the Carbon Black tile,
   • Select SET UP

4. In the Authorize Connector: Carbon Black console
   • Expand the Authorization Details dropdown. Enter the following information, next to:-
     • Base URL: https://defense-prod05.conferdeploy.net
     • API ID: {Paste the API ID from your notepad above}
     • API Secret Key: {Paste the API secret Key from the notepad above}
     • Org Key: 7W2F4KVN
   • Select AUTHORIZE

NOTE: The Org Key identifies the Carbon Black Tenant and is unique to each Carbon Black Cloud instance.

1. In the Workspace ONE Intelligence Console
   • In menu bar, select the Dashboards tab
   • In the Dashboards area
     • Select Get Started
   • In the My Dashboards section
     • Select +ADD

2. In the Add Dashboard window
   • Name the dashboard Carbon Black
   • In the bottom right of the page, select SAVE

3. In my My Dashboards > Carbon Black area
   • Select ADD WIDGET

4. In the MY Dashboards > Carbon Black
   • From the dropdown, select Custom Widget

5. In the Add Widget window
   • Select the dropdown next to CATEGORY
   • Select Carbon Black > Carbon Black Threats

6. In the Add Widget screen,
   • Replacing the "Name your widget" with Medium & High Severity

7. In the Add Widget screen,
   1. Under Data Visualization > Chart Type, Select TABLE.
   2. Fill in the following fields: Next TO
      • Measure: Count of Carbon Black Device ID. (Choose from drop down)
      • Group by (Optional): select from the dropdown Carbon Black Device Email,
        • Next to Carbon Black Device Email, select ADD SUBGROUP
        • Select from the dropdown Carbon Black Device External IP Address
        • Next to Carbon Black Device External IP Address, select ADD SUBGROUP
        • Select from the dropdown Carbon Black Incident ID , select ADD SUBGROUP
        • Select from the dropdown add Carbon Black Severity Score, select ADD SUBGROUP
        • Select from the dropdown select Platform.
        • Next to Date Range, ensure that the Last 28 days is configured

8. In your Custom Widget
   • Under Filter,
   • In the Search area, under Empty Rule,  select Threat > Threat Severity
   • In the second drop down select INCLUDES
   • In the third drop down type Medium and hit ENTER on your Keyboard
   • In the same field, type High and hit Enter on your Keyboard.
   • Select SAVE at the top of the page. 

9. In INTELLIGENCE DASHBOARDS
   • Select SAVE

We will now create an incident. As we don't have the means to infect this vm with malware we will use Notepad++ as an example of a malicious application.

1. On the ControlCenter
   • Open the Remote Desktop folder
   • Connect to your W10client01 RDP virtual machine with your new hostname.

2. On the W10Client02 virtual machine
   • Right-click the Start button,
   • Select Windows PowerShell.
     • Notice the PowerShell message
   • Select the Carbon Black Sensor in the right-hand corner 
     • Notice the configured Threats that have been blocked.
   • Select OK to close

3. On your Windows Desktop
   • Select Start > Run
   • Enter the following UNC Path \\horizon.euc-livefire.com\software\Applications\Lab3.2_Only(App Volumes)\notepad
   • Copy the Notepad++ msi to your Desktop
   • Attempt to execute this MSI.
     • Notice the installation of Notepad++ is blocked
     • Note that this is not a standard Notepad++ msi package but a ThinApp package that offers application isolation and even with this, the sensor is able to block the installation and execution on the device.
   • Attempt to rename the MSI and re-execute see what happens

1. Log into the Carbon Black Cloud Admin console. 
   1. Navigate to Alerts from the left menu bar.
   2. Under FILTERS menu, expand DEVICE and select your endpoint i.e. AttendeeXXX. 
      • In the right-hand pane, observe  STATUS of  Alert as a Deny Policy Action and the Alert Severity. 

2. Switch to the Workspace ONE Intelligence console.
   • Login to cn-livefire.awmdm.com with your admin credentials.
   • Navigate to Monitoring > Intelligence.
   • Select LAUNCH  

3. In the Workspace ONE Workspace ONE IntelligenceConsole,
   1. Select Automations
   2. Select VIEW on your Carbon Black automation
   3. Next to Overview, select the Activity tab
      • You should see the events, the tag being assigned and the e-mail being sent to the admin.

4. Switch to the Workspace ONE UEM console,
   1. Navigate to Devices > List View
   2. You will notice the enrolled device has the QUARANTINE tag assigned to it

5. Now navigate to your e-mail and notice you have an e-mail from AirWatch that has the information for the device that has been compromised.