EUCZero Trust 2020 Device TrustVMware Carbon Black Threat Remediation with Workspace ONE Intelligence

VMware Carbon Black Threat Remediation with Workspace ONE Intelligence

This lab is for the purposes of understanding the integration with  Workspace ONE Intelligence and VMware Carbon Black Cloud. You will be required to do a little pre-work to setup the requirements for the integration. Once those are setup you will be able to demo carbon black policy enforce a blacklist policy virtual machine in to Workspace ONE and push out the VMware Carbon Black Sensor installer and connect it to the correct org. We will look at how a threat with it's various severities can be detected by policies we create inside VMware Carbon Black.

Next we will see how Workspace ONE Intelligence is ingesting this information and taking action to re-mediate an issue on that device.

There are four parts to this Lab

1. Setup VMware Carbon Black tenant

2. Workspace ONE UEM & VMware Carbon Black Sensor Integration

3. Workspace ONE IntelligenceAPI integration & Automation

4. VMware Carbon Black Incident & Workspace ONE Intelligence Automation

NOTE: Screenshot precedes Instructions in this lab

Part 1: Setup a VMware Carbon Black Tenant

  1. Open your inbox. Check for an e-mail from [email protected] Carbon Black.com, this is the same email address you used to sign up for this course.
    • Click Activate Now in link the e-mail.

NOTE: If you have not received this email, please notify the instructor.

  1. You will be redirected to Create Password page.
    • Set and confirm the new password to: VMware1!
    • Select Accept at the bottom of the page.
    • Click Back to Sign in  
  1. You can now sign in using your e-mail address and the password VMware1!
    • Click Sign In
    • Click I accept on the End User Agreement page.
  1. You have now successfully logged into the VMware Carbon Black Cloud portal.
  1. Switch to the ControlCenter2 Machine in your lab environment

Use the credentials created above to authenticate as administrator.

  1. Download Sensor Kit
    • On the VMware Carbon Black Console Navigate to ENDPOINTS on the left navigation pane
    • On the top right-hand corner,  select the drop down next to Sensor Options. 
    • Select Download sensor kits

 NOTE: If you do not see the options on the left pane, reduce the Page Zoom by Navigating to the menu options on top right and click on minus sign.

  1. Now select Download Kit next to Windows 64-bit from the Download Sensor Kits page. (Be sure to download the latest)
  1. Click Save File to confirm the download. (This should save the sensor to the download folder.)

 

IF you do not see the Save File as shown above, come back to the VMware Carbon Black Cloud admin console and right-click on Download Kit next to Windows 64-bit and click Save Link As... and then click Save

This concludes Part 1, please proceed to Part 2

Part 2: Workspace ONE UEM & VMware Carbon Black Sensor Integration

In this lab we will create a software distribution package to install VMware Carbon Black Sensor silently (unattended) using Workspace ONE UEM.

The lab parts are as follows:

2.1: Create VMware Carbon Black Sensor installation package through WorkspaceONE UEM

2.2: Change Windows 10 Name and IP Address

2.3: Observe Device behaviour in VMware Carbon Black console

2.1: Create VMware Carbon Black Sensor installation package through Workspace ONE UEM

  1. On the ControlCenter2
    • Open a new tab in Google Chrome
    • Navigate to your Workspace ONE UEM admin console with the following URL  ( https://cn-livefire.awmdm.com )
      • Enter your custom Username, select Next
      • In the Password area, enter your custom password select Log in
      • If prompted close the Workspace ONE UEM Console Highlights window
  1. In the Workspace ONE UEM Console
    • Navigate to Apps & Books > Application > Native
    • Select  ADD under the Internal tab
    • Select Application File
  1. In the Add Application window
    • Next to Organization Group ID, leave this default
    • Next to Application File, select UPLOAD
      1. Select Choose File and a new window will open,
      2. Navigate to the Download Folder in the left navigation bar and click on the msi you downloaded in the previous lab.
      3. Click on the you will find the installer.....msi and click Open.
      4. Click SAVE on the final Add page this will upload the application.
  1. In the Add Application window
    • Click CONTINUE to verify the application file and that it is not a dependency
    • On the Details tab change the Supported Processor Architecture  to 64-bit
    • Click on the Deployment Options tab of the next page and paste the install parameter from below into the Install Command Field 

(Replace the existing install command in that field already. Ensure the version of Sensor is correct)

msiexec /q /i "installer_vista_win7_win8-64-3.6.0.1979.msi" /L*vx Log.txt COMPANY_CODE=S17NA79RWX!K8OJLXA3

NOTE: If you typing in the COMPANY_CODE, the number 8 is followed by 'O' and not Zero. (Common Mistake)

  • Next to Device Restart select "User-engaged restart"
  • Select SAVE & ASSIGN

NOTE: The Company Code determine the VMware Carbon Black Cloud environment and can be retrieve from the VMware Carbon Black admin console. In an environment where you have Super admin rights, you can verify the company code by Navigating to ENDPOINTS > SENSOR OPTIONS > COMPANY CODES in the VMware Carbon Black portal. However, in this lab environment you have only read only access and so this option is not available.

  1. On the Carbon Black Cloud Sensor 64-bit- Assignment page, next to :
    • Name: Type Carbon Black Sensor for Windows
    • Assignment Groups, select All Devices(YOURORG)
    • Deployment Begins, select a Time about 10 minutes ahead of your time. (note the time zones)
    • App Delivery Method, select Auto radio button
    • Select CREATE at the bottom of the page
  1. On the Carbon Black Cloud Sensor 64-bit- Assignment
    • Select SAVE
    • Select PUBLISH

The CB sensor package will be published to any Windows devices enrolled into this UEM organization group.

2.2: Change Windows 10 Name and IP Address

In order to uniquely identify your VM in the VMware Carbon Black Console we will need to assign the VM a new hostname and new IP address. At this point you will need the number assigned to you by the instructor.

If the assigned name is AttendeeXXX (example: Attendee102)

The new hostname of the virtualmachine will be attendeeXXX.euc-livefire.com

(example: attendee102.euc-livefire.com)

The new IP address of the virtual Machine will be 192.168.110.XXX - example: 192.168.110.102

 

  1. On the ControlCenter2 desktop
    • Open the Remote Desktops folder
    • Double click the shortcut for W10Client02.RDP
    • Type the password: VMware1! when prompted and select OK

 

NOTE: If you are seeing error due to other user logged in. Use the left navigate panel to access the W10Client02 Virtual Machine.

  1. On the W10Client02 VM right click the Windows Icon and click System
  1. In the About Page in Settings click Rename this PC
  1. Change the Computer name to the unique identifier given by the Instructor - for example Attendee102
    • Click Next,

ATTENTION: At this point do not Restart your VM.

  1. Click on the Network icon in the task tray in the bottom right.
    1. Click Network & Internet settings in the pop up window
  1. On the Settings Page click Change Connection properties.
  1. Scroll down to find IP Settings. Click Edit to change the IPv4 Address.
  1. On the Edit IP settings,
    • Edit the IP address to 192.168.110.XXX example if your Assignment is Attendee101 the IP should end in 101.
    • Click Save and you will be disconnected from the Remote Session
  1. Navigate back to the Remote Desktops folder on the desktop of the ControlCenter2 VM
    • Right-Click on the W10Client02.RDP and click Edit

 

  1. Change the Computer name in the RDP Connection to your unique ip Address 192.168.110.xxx (Example 192.168.110.102)
    • Click Connect on the page

NOTE: As we got disconnected, we now need to reboot to also change the hostname of the VM.

  1. Once connected again, right click Start > Shut down or sign out >  click Restart which will change the hostname to AttendeeXXX.euc-livefire.com
  1. Click Back into the Remote Desktop Folder on the Desktop and edit the W10Client02.RDP.
    • Change it to the new hostname you have assigned the vm. (Example: attendee102.euc-livefire.com)
    • Click Save and then Connect. Check if RDP to the AttendeeXXX.euc-livefire.com VM from the ControlCenter2 is working

2.3: Observe device behaviour in VMware Carbon Black

Workspace ONE UEM will push the VMware Carbon Black MSI package and install the Sensor with the correct company Code. 

Note: This may take up to 5 minutes. Take a break! 

1. On the ControlCenter2 machine,

  • Sign in to cn-livefire.awmdm.com if you aren't already signed into the UEM console and navigate Devices > List View and select your device and browse to the Apps Tab.
  • Make sure the VMware Carbon Black Cloud Sensor 64-bit has a green Check box next to it.

If you see the status as failed or Not Installed, re-trace your steps and double check the MSI install command in the previous chapter.

  1. On the ControlCenter2 open the VMware Carbon Black Cloud console.
    1. Open a browser and navigate to https://defense-prod05.conferdeploy.net/
    2. Sign in with your e-mail address and password set in the previous exercise.
  1. In the VMware Carbon Black Cloud console
    • Navigate to Endpoints in the left hand navigation
      • Identify your Device with the computer name that you set. (i.e. AttendeeXXX)
    • Click on the Check Box next to your device
  1. In the Endpoints window
    • Select Take Action drop down and click Change policy
  1. In the Change Policy window
    • In the dropdown, select Zero Trust LiveFire
    • Select Change. (NOTE: Ensure you have the selection set to 'Update the 1 selected devices'.

This will change the Endpoint policy to Zero Trust Livefire Policy. Lets look at what exactly this policy is enforcing on our endpoints.

  1. In Carbon Black Admin console, in the left navigation panel,
    • Navigate to Enforce > Policies
  1. Under NAME for the list of available policies,
    • Select the Zero Trust Livefire Policy.
  1. Click on the Prevention tab.

You will see Permission, blocking & isolation and uploads rules to configure how sensors controls our endpoints.

  1. Under the Prevention tab
    • Expand Permissions,
    • Notice, an application path C:\Program Files\dfndr.exe is set to bypass for any operation.

This can be an example of an internal application which needs to be excluded from any sensor actions.

  1. Next, observe the Blocking and Isolation Rules,
  • Notice it lists all the processes, their operation attempt and the actions this policy will take to prevent an attack.
  • In our policy example, we have added NOTEPAD++.exe & Powershell.exe as blacklisted applications,
    • Any executed processes will TERMINATE and anyy existing attempt to run will be BLOCKED

In our LAB environment, you only have read only access and hence cannot make any changes to the policy. In real world, you can choose to perform a deny operation or terminate operation depending upon the use case.

You have successfully completed this section. Please proceed to the next section.

Part 3. Workspace ONE Intelligence API integration & Automation

In this lab you will create the integration between VMware Carbon Black Cloud and Workspace ONE Intelligence.

3.1: Create API & SIEM Notifications

3.2: Create VMware Carbon Black & Workspace ONE UEM Connectors

3.3: Create Dashboard and Widget

3.4: Create Automation

3.1: Create API & Notifications

  1. Adding an API Key.
    1. On the left hand navigation pane. Navigate to Settings and API Keys (API  Access)
    2. Scroll to the the right of the Admin Console, Select Add API Key
  1. Enter the below information,
    1. Name the API key your unique attendee Identifier. EXAMPLE: Attendee101
    2. Select SIEM in the Access Level type
    3. Select Save at the bottom of the window.
  1. You will now be shown the API Credentials.
    1. Copy both the API ID and the API Secret Key to Notepad.
    2. Close out of the API Credentials windows by clicking X

NOTE: We will use these values later for integration with Workspace ONE Intelligence

  1. In the left hand navigation panel,
    1. Navigate to Settings > Notifications
    2. In the right corner , select  + Add Notification
  1. Enter the below information,
    1. Give the Notification policy your unique identifier as a name, for example: Attendee101
    2. Then put a check in the Threat and Observed tick boxes and observer, the alert severity is 1
    3. At the bottom under API Keys find the SIEM Api key you just created. It should be your unique identifier. (example: Attendee101)
    4. Click Add to create the notification end point

3.2: Configuring VMware Carbon Black & Workspace ONE UEM Connectors

In order to send Alerts received in VMware Carbon Black portal to Workspace ONE Intelligence, we will be configuring a VMware Carbon Black Connector in Workspace ONE Intelligence. This requires us to use both VMware Carbon Black console API Key & SIEM API Key. Security Information and Event Management (SIEM) API allows you to capture security events generated on the VMware Carbon Black platform in your Workspace ONE Intelligence console.

  1. Open the Workspace ONE UEM console,
    1. Open the Chrome browser on the ControlCenter2 VM and navigate to https://cn-livefire.awmdm.com. (if not already open)
    2. Sign in using your admin credentials (E-mail used to attend the course)
    3. In the top right corner click on the 9 squares forming a square and click Workspace ONE Intelligence
  1. On the landing page for  Workspace ONE Intelligence click Integrations
  1. On the Carbon Black connector, select SET UP
  1. Expand the Provide Credentials dropdown. Fill in the following information
    • Base URL: https://api-prod05.conferdeploy.net
    • API Key: ULRWHUK27YECTWV5497WVGS6
    • SIEM Key: paste SIEM Key from Notepad. (This is the same API Credentials you the key you created in VMware Carbon Black console.)
    • API Connector ID: EMDZ52ZLL3
    • SIEM Connector ID: paste SIEM Connector ID from Notepad. (This is the same API Credentials you the key you created in VMware Carbon Black console.)
    • Click AUTHORIZE to authorize the VMware Carbon Black Connector

3.3: Create Dashboard & Widget

We will now create a Dashboard and a Widget for VMware Carbon Black

  1. To add a new dashboard:
    • In the Workspace ONE Workspace ONE IntelligenceConsole click on Dashboards
    • Select Get Started
    • in the My Dashboards section select +ADD
  1. In the Add Dashboard window
    • Name the dashboard Carbon Black
    • In the bottom right of the page, select SAVE
  1. In my My Dashboards > Carbon Black area
    • Select +WIDGET
  1. In the  Add Widget screen, to the right of Custom Widget and click START
  1. In the Add Widget window
    • Select the dropdown next to CATEGORY
    • Select Carbon Black > Carbon Black Threats
  1. In the Add Widget screen,
    • Set a name for the Widget, by replacing Blank with Low & Medium Severity
  1. In the Add Widget screen,
    1. Under Data Visualization > Chart Type, Select TABLE.
    2. Fill in the following fields: Next TO
      • Measure: Count of Carbon Black Device ID. (Choose from drop down)
      • Group by (Optional): select from the dropdown Carbon Black Device Email,
        • Next to Carbon Black Device Email, select ADD SUBGROUP
        • Select from the dropdown Carbon Black Device External IP Address
        • Next to Carbon Black Device External IP Address, select ADD SUBGROUP
        • Select from the dropdown Carbon Black Incident ID

Note: These are mere suggestions, any given attribute coming from VMware Carbon Black could be selected to be displayed

  1. In your Custom Widget
    • Under Filter,
    • In the Search area, under Empty Rule,  select Threat > Threat Severity
    • In the second drop down select Equals
    • In the third drop down type Medium and hit ENTER on your Keyboard
    • Select SAVE at the bottom of the page. 

 

  1. In INTELLIGENCE DASHBOARDS
    • Select SAVE

NOTE: If you are not seeing Medium in the dropdown, it means Workspace ONE Intelligencehas not yet received any Medium Alerts from VMware Carbon Black Portal. You can simply type in medium and hit enter.

Part 4: Create Automation

We now will create an automation from the widget we have just created.

 

  1. In the Carbon Black Dashboard,
    • In the Low&Medium Security  widget
      • Select the more options icon (three horizontal dots).
      • Select Automate

NOTE: if you don't see the three dots, you may not have saved the dashboard at the top of the page

  1. In the Add Workflow window
    • In the Name your workflow area, give the Workflow a title: Tag Malware Device & Notify Admin

 

  1. In the Add Workflow window
    • Scroll down to Action (Then) and select the
  1. In the Add Workflow window
    • Under Available Connectors, select Workspace ONE UEM
    • Scroll down to the right and select Add Tag to Device
  1. Switch to your Workspace ONE UEM Console
    • Select Devices > List View
    • Under General info, select your Enrolled device
    • Note the Device ID in your Browser Address,
      • In the Screenshot, it appears as 451,
    • Ensure you make a NOTE, of YOUR Device ID
    • Switch back to your Workspace ONE Intelligence Console
  1. In the Action (Then) area
    • Next to Device ID, type YOUR DEVICE ID
    • Under Path Variables
      • Select the Search for existing values radio button
        • Next to Organization Name, select YOUR Organization
      • Next to Tag name,  from the dropdown select Quarantine
    • Select the TEST button
      • In the Workspace ONE UEM - Add Tag to Device - Test, select TEST
        • View the result
        • Select CANCEL
    • At the bottom of the Action (Then) area select

Note the Tag Name Quarantine is a custom TAG created in Workspace ONE UEM

To view the location,

  • Go to Groups & Settings > Groups > All Settings > Device & Users > Advanced > Tags
  • Note the Quarantine Tag has already been defined
  1. Under Available Connectors,
    • Select the Workspace ONE UEM connector,
    • Select the Send Email Connector
      • In the Send Email, add the following next to
        • Address: your e-mail address
        • Subject: Malware detected
        • Message : (USE THE LOOKUP OPTION TO POPULATE THE BELOW INFORMATION OR MANUALLY TYPE IT IN)

DEVICE ID - ${deviceinfo_uemid}

DEVICE NAME - ${deviceinfo_devicename}

Threat - ${_threat_family}

Threat Severity - ${_threat_severity}

Threat Time - ${eventtime}

Platform - ${_device_platform}

  • Under Path Variables
    • Next to Device ID, type YOUR Device ID
    • Select the TEST button to your email Workflow
  1. At the bottom right corner of the Workflow
    • Next to Enable workflow, move the Toggle to the right, so it shows Green
    • Select SAVE
  1. On the pop-up windows click SAVE & ENABLE

Your automation should now be live. Let's trigger an event on your device to see this take effect.

Part 5. VMware Carbon Black Incident & Workspace ONE Intelligence Automation

You are now ready to demo threat remediation using Workspace ONE intelligence and VMware Carbon Black. This section had two parts:

5.1: Incident

5.2: Notification

5.1: Incident

We will now create an incident. As we don't have the means to infect this vm with malware we will use Notepad++ as an example of a malicious application.

  1. On the ControlCenter2 open the Remote Desktop folder and connect to your W10client02 virtual machine with your new hostname.
  1. On the W10Client02 virtual machine
    • Right-click the Start button,
    • Select Windows PowerShell.
      • Notice the PowerShell message
    • Select the Carbon Black Sensor in the right-hand corner 
      • Notice the configured Threats that have been blocked.
    • Select OK to close

 

  1. On your Windows Desktop
    • Select Start > Run
    • Enter the following UNC Path \\cs1-pd1\software\Applications\Lab3.2_Only(App Volumes)\notepad
    • Copy the Notepad++ msi to your Desktop
    • Attempt to execute this MSI.
      • Notice the installation of Notepad++ is blocked
      • Note that this is not a standard Notepad++ msi package but a ThinApp package that offers application isolation and even with this, the sensor is able to block the installation and execution on the device.
    • Attempt to rename the MSI and re-execute see what happens

 

5.2: Alert & Automation

  1. Log into the Carbon Black Cloud Admin console
    1. Navigate to Alerts from the left menu bar.
    2. Under FILTERS menu, expand DEVICE and select your endpoint i.e. AttendeeXXX. 
      • In the right-hand pane, observe  STATUS of  Alert as a Deny Policy Action and the Alert Severity. 

NOTE: Ensure GROUP ALERTS is set to OFF. If not, ensure to set it to OFF to view your specific endpoint alert. 

  • Move the Toggle in the right-hand corner from On to Off
  1. Switch to the Workspace ONE Intelligence console.
    • Login to cn-livefire.awmdm.com with your admin credentials.
    • Navigate to Monitoring > Intelligence.
    • Select LAUNCH  
  1. In the Workspace ONE Workspace ONE IntelligenceConsole,
    1. Select Automations
    2. Select VIEW on your Carbon Black automation
    3. Next to Overview, select the Activity tab
      • You should see the events, the tag being assigned and the e-mail being sent to the admin.
  1. Switch to the Workspace ONE UEM console,
    1. Navigate to Devices > List View
    2. You will notice the enrolled device has the QUARANTINE tag assigned to it
  1. Now navigate to your e-mail and notice you have an e-mail from AirWatch that has the information for the device that has been compromised.

This ends the lab for VMware Carbon Black Integration with Workspace ONE Intelligence.

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.