1 days.


This course requires completion of the following course

  • VMware Carbon Black EDR Administrator

Skills Gained

By the end of the course, you should be able to meet the following objectives:

  • Describe the components and capabilities of the Carbon Black EDR server
  • Identify the architecture and data flows for Carbon Black EDR communication
  • Identify the architecture for a cluster configuration and Carbon Black EDR cluster communication
  • Describe the Carbon Black EDR server data types and data locations
  • Use the API to interact with the Carbon Black EDR server without using the UI
  • Create custom threat feeds for use in the Carbon Black EDR server
  • Perform the integration with a syslog server
  • Use different server-side scripts for troubleshooting
  • Troubleshoot sensor-side configurations and communication

Who Can Benefit?

System administrators and security operations personnel, including analysts and managers.

    Outline for VMware Carbon Black EDR Advanced Administrator Training


    Course Introduction

    • Introductions and course logistics
    • Course objectives


    • Data flows and channels
    • Sizing considerations
    • Communication channels and ports

    Server Datastores

    • SOLR database
    • Storage configurations and data aging
    • Partition states
    • Postgres
    • Modulestore


    • CBAPI overview
    • Viewing API calls in the browser
    • Utilizing the API to access data

    Threat Intelligence Feeds

    • Feed structure
    • Report indicator types
    • Custom threat feed creation and addition

    Syslog Integration

    • SIEM support
    • Configuration


    • Server-side scripts
    • Server logs
    • Sensor operations

    Product Alignment

    • VMware Carbon Black EDR