Duration

1 days.

Prerequisites

This course requires completion of the following course

  • VMware Carbon Black EDR Administrator

Skills Gained

By the end of the course, you should be able to meet the following objectives:

  • Describe the components and capabilities of the Carbon Black EDR server
  • Identify the architecture and data flows for Carbon Black EDR communication
  • Identify the architecture for a cluster configuration and Carbon Black EDR cluster communication
  • Describe the Carbon Black EDR server data types and data locations
  • Use the API to interact with the Carbon Black EDR server without using the UI
  • Create custom threat feeds for use in the Carbon Black EDR server
  • Perform the integration with a syslog server
  • Use different server-side scripts for troubleshooting
  • Troubleshoot sensor-side configurations and communication

Who Can Benefit?

System administrators and security operations personnel, including analysts and managers.

    Outline for VMware Carbon Black EDR Advanced Administrator Training

    Outline

    Course Introduction

    • Introductions and course logistics
    • Course objectives

    Architecture

    • Data flows and channels
    • Sizing considerations
    • Communication channels and ports

    Server Datastores

    • SOLR database
    • Storage configurations and data aging
    • Partition states
    • Postgres
    • Modulestore

    EDR API

    • CBAPI overview
    • Viewing API calls in the browser
    • Utilizing the API to access data

    Threat Intelligence Feeds

    • Feed structure
    • Report indicator types
    • Custom threat feed creation and addition

    Syslog Integration

    • SIEM support
    • Configuration

    Troubleshooting

    • Server-side scripts
    • Server logs
    • Sensor operations

    Product Alignment

    • VMware Carbon Black EDR