Oomnitza's VMware Carbon Black Extended integration allows organizations to retrieve device information from Carbon Black Cloud Platform and populate it in Oomnitza as well as manage the devices via multiple presets.
More info in Carbon Black Cloud Platform can be found here: https://www.carbonblack.com/products-index/#
- Load List of Endpoints
- Load List of Users
- Invite User/Asset
- Quarantine endpoint
- Remove endpoint from quarantine
- Bypass endpoint
- Start background scan on endpoint
- Update policy on endpoint
- Update sensor on endpoint
- Uninstall sensor on endpoint
- Delete Endpoint
- Delete User
Details on setting up Oomnitza Extended Connectors can be found in Oomnitza's Articles on Connector Setup.
Note: In addition to the standard fields entered during setup, you'll also need your Carbon Black Cloud Environment, Org Key and Org Id.
First you need to determine which environment, or product URL you use. You can find this by looking at the web address of your Carbon Black Cloud console. This should be entered into global settings table as CarbonBlack.Hostname. Right now possible values are:
- EAP01 - https://defense-eap01.conferdeploy.net
- Prod 01 - https://dashboard.confer.net/
- Prod 02 - https://defense.conferdeploy.net/
- Prod 05 - https://defense-prod05.conferdeploy.net/
- Prod 06 - https://defense-eu.conferdeploy.net/
- Prod NRT - https://defense-prodnrt.conferdeploy.net/
- Prod Syd - https://defense-prodsyd.conferdeploy.net/
Secondly, you should note your Org key as well as Org Id. You can find both in the Carbon Black Cloud Console under Settings > API Access. You may enter them into global settings table under the values CarbonBlack.OrgKey and CarbonBlack.OrgId.
Carbon Black Cloud APIs are authenticated via API keys . Credentials for Carbon Black Cloud should be added to The Oomnitza Vault. VMWare Carbon Black requires an API Key type Authentication using API Secret Key / API ID. When entering the credential into Oomnitza, use API Key type, specify X-Auth-Token as Token Name and then enter
[API Secret Key]/[API ID] as the API Key.
Before we can configure the Carbon Black Cloud Extended Connector, you must ensure the correct Access Level (For the category Device > General Information > “device” allow permissions for “READ”) and API Key generated from with the Carbon Black Cloud console.
Information required for a successful Integration setup:
1. Access Level created (“device” allow permissions for “READ”)
2. API Key generated (resulting in API Secret Key and API ID)
3. Environment identified (the Dashboard url)
4. Org Key (Settings> API Access)
Further Documentation Links:
- To Create the required Access Level
- To create the API Key
- Devices API Access Level
Load list of devices/endpoints from Carbon Black Cloud
Note: You'll be asked to enter your Carbon Black Cloud Environment and Org Key during configuration, see above for details.
The following fields can be mapped from Carbon Black Cloud using Oomnitza's User Interface. For more information on creating Extended Connector Mappings, please see our article on Mapping Extended Connectors.
Note: Mappings are dependent on customer instance and not all fields may be available within your instance.
- Email - email of the user who installed the sensor (see also invite preset below)
- target Value
- mac address (formatted) - like AA:BB::CC::DD::00::11
Additional fields may be available through Carbon Black Cloud Platform. For details on how to retrieve them, please reach out to firstname.lastname@example.org or see our article on Mapping Extended Connectors.
Load List of Users
Using this preset allows you to trigger the sending of an email from VMWare Carbon Black to a given user (basically the Send installation request function within Carbon Black Cloud WebUI). This email contains a link to download the installs as well as a unique code for the user to enter when running the installation. This is very useful to roll out Carbon Black to new user's within your organization in case you don't want to deploy it using an MDM or client management solution. Also this way you can already connect the user with the asset which will make it easier to then track the assigned to user once you load these assets via the asset load connector, especially if you are within a domain-less enterprise and allow all end users to be admins on their devices.
The used API in this case is not officially supported by VMWare and as such please use with caution and at your own discretion. Also this will require Super Admin rights, which might not be suitable for everyone.
This preset leverages the global settings CarbonBlack.Hostname and CarbonBlack.OrgId.
Remove endpoint from quarantine
Start background scan on endpoint
Update policy on endpoint
Update sensor on endpoint
Uninstall sensor on endpoint