VMware Carbon Black EDR: Install, Configure, Manage [V7.x] Training

This three-day, hands-on training course provides you with the knowledge, skills, and tools to achieve competency in installing, configuring, and managing the VMware Carbon Black® EDR™ environment. This course introduces you to product features, capabilities, and workflows for managing endpoint security. Hands-on labs enable learners to reinforce topics by performing operations and tasks within the product in a training environment.
Course Details


3 days


There are no prerequisites for this course.

Target Audience

  • Security analyst, threat hunters, or incident responders
  • Security professionals who work with enterprise and endpoint security tools

Skills Gained

  • Describe the architecture of a Carbon Black EDR implementation
  • Perform the installation, upgrade, and configuration of the Carbon Black EDR server
  • Describe the purpose and use of multiple datastores in the server
  • Perform live queries across endpoints to gather additional data
  • Perform effective searches across the dataset to find security artifacts related to the endpoints
  • Manage Threat Intelligence Feeds and Watchlists
  • Describe connectors in Carbon Black EDR
  • Troubleshoot server and sensor problems
  • Analyze data found in the Heads-Up Display
  • Manage investigations to group and summarize security incidents and artifacts
  • Perform the different response capabilities available to users in Carbon Black EDR
  • Use the Carbon Black EDR API to automate tasks
Course Outline
  • Planning and Architecture
    • Describe the architecture and components of Carbon Black EDR
    • Explain single and cluster server requirements
    • Identify the communication requirements for Carbon Black EDR
  • Server Installation, Upgrade, and Administration
    • Install the Carbon Black EDR server
    • Describe the options during the installation process
    • Install a Carbon Black EDR sensor
    • Confirm data ingestion in the Carbon Black EDR server
    • Identify built-in administration tools
    • Manage sensor groups
    • Manage users and teams
  • Exploring Server Datastores
    • Describe the datastores used in Carbon Black EDR
    • Interact with the available datastores
  • Performing Live Query
    • Describe live query capabilities
    • Perform queries across endpoints
  • Searching and Best Practices
    • Describe the capabilities and data available in the process search
    • Perform process searches to find specific endpoint activity
    • Describe the capabilities and data available in the binary search
    • Perform binary searches to find application data
    • Describe the query syntax and advanced use cases
    • Perform advanced queries across the dataset
  • Threat Intelligence Feeds and Watchlists
    • Define Threat Intelligence Feeds
    • Manage the available Threat Intelligence Feeds
    • Describe the use of Watchlists
    • Manage Watchlists in the environment
  • Connectors in VMware Carbon Black EDR
    • Configure connectors in Carbon Black EDR
    • Troubleshoot connectors
  • Troubleshooting VMware Carbon Black EDR
    • Identify the available troubleshooting scripts in the Carbon Black EDR server
    • Run troubleshooting scripts to identify problems
    • Generate a sensor log bundle
    • Identify the location of sensor registry keys
  • Head-Up Display Page Overview
    • Identify panels relating to endpoint data
    • Analyze endpoint data provided by the panels
    • Identify panels relating to operations data
    • Analyze operations data provided by the panels
    • Identify panels relating to server data
    • Analyze server data provided by the panels
    • Define alert generation in Carbon Black EDR
    • Manage alerts
  • Performing Investigations
    • Describe investigations
    • Explore data used in an investigation
    • Manage investigations
    • Manage investigation events
  • Responding to Endpoint Incidents
    • Describe isolation in Carbon Black EDR
    • Manage isolating endpoints
    • Describe live response capabilities
    • Manage live response sessions
    • Describe hash banning
    • Manage banned hashes
  • Overview of Postman and the VMware Carbon Black EDR API
    • Explain the use of the API
    • Differentiate the APIs available for Carbon Black EDR
    • Explain the purpose of API tokens
    • Create an API token
    • Explain the API URL
    • Create a valid API request
    • Import a collection to Postman
    • Initiate an API request from Postman
    • Perform operations manually using Postman
    • Analyze the use cases for Postman
    • Show basic automation tasks using the API and curl
    • Compare the usage of curl with Postman
  • Product Alignment
    • VMware Carbon Black® EDR™ 7.7