Carbon Black (P6:Settings): A Practical Guide/An Practical Training

In this guide, we'll cover the last section of the Carbon Black Cloud console: the Settings tab. This area is crucial for managing your environment, configuring users, roles, notifications, and more. Let’s dive into each subsection and see what they offer.

1. General

The General subtab provides essential information about your Carbon Black account and its configuration. Here’s what you can find:

• Enabled Products: Displays the list of products activated for your account. For additional tools, links to relevant documentation are available if you’re considering a purchase.

• Account Details:

  • OrgID & OrgKey: These are unique identifiers for your account, necessary for API integrations. Keep these handy if you're making API calls.

  • DNS Suffix: Defines the domain suffix your devices use, such as yourcompany.com. It’s an organization-specific identifier set during DHCP configuration.

  • Reachable Hosts: This is the IP address or fully qualified domain name (FQDN) of an internal host, like your DNS server. It's used to confirm on-premises reachability and must avoid private IPs like 10.x.x.x or 172.x.x.x.

  • Windows Registry Key: This permanent setting ensures compatibility with Windows security updates (e.g., KB4072699). Once enabled, it cannot be modified.

2. Users

The Users subtab allows you to manage who has access to your console.

• Add new users and grant them specific permissions.

• View logs related to user activity, ensuring accountability and transparency.

3. Roles

Roles are critical for managing permissions across your organization.

• Use prebuilt roles for common needs or create custom roles tailored to your environment.

• Assign roles to users based on their job responsibilities, ensuring a least-privilege approach to security.

4. Notifications

Want to stay informed? The Notifications subtab lets you set up alerts based on specific conditions.

Scenarios where notifications can be triggered:

1. Alert Thresholds: When an alert exceeds a predefined limit.

2. Specific TTPs or MITRE Techniques: Be notified when certain tactics, techniques, or procedures (TTPs) are detected.

3. Policy Actions: Alerts when specific policy actions are applied

5. API Access

API Access enables seamless integration with other security tools in your ecosystem.

• Generate API keys to authenticate your integration with external systems.

• For detailed guidance, check Carbon Black’s official API documentation.

6. Data Forwarder

The Data Forwarder feature lets you send bulk data to external storage for advanced analytics and reporting.

Supported Destinations:

• AWS S3 Buckets:

  • Create an S3 bucket and configure a bucket policy to grant necessary permissions.

  • Use prefixes to send data to specific sub-folders.

• Microsoft Azure Blob Storage:

  • Authorize Carbon Black Cloud using a Federated credentials-based Managed Identity.

  • Note: Unlike AWS S3, Azure requires individual blob containers for each forwarder.

7. Audit Log

The Audit Log subtab provides a trail of actions performed within the console.

• Track login attempts, configuration changes, and user activity.

• Use this feature for compliance audits and internal investigations.
  

Wrapping Up:

With its comprehensive features and intuitive interface, Carbon Black Cloud empowers organizations to take control of their cybersecurity posture. From endpoint protection to advanced threat hunting, the platform provides everything needed to stay ahead of emerging threats.