Skip to main content
Sumo Logic

Install the VMware Carbon Black App and view the Dashboards

  1. Last updated
  2. Save as PDF
This page provides instructions for installing the VMware Carbon Black App, and has examples of each of the App dashboards.

This page provides instructions for installing the VMware Carbon Black App and has examples of each of the App dashboards. The VMware Carbon Black App dashboards are organized in the following categories, according to their function:

Install the App

This section demonstrates how to install the VMware Carbon Black EDR and Cloud Endpoint Standard App.

To install the app, do the following:

Locate and install the app you need from the App Catalog. If you want to see a preview of the dashboards included with the app before installing, click Preview Dashboards.

  1. From the App Catalog, search for and select the app. 
  2. Select the version of the service you're using and click Add to Library.
  1. To install the app, complete the following fields.
    1. App Name. You can retain the existing name, or enter a name of your choice for the app.

    2. Data Source. Select either of these options for the data source.

      • Choose Source Category, and select a source category from the list.

      • Choose Enter a Custom Data Filter, and enter a custom source category beginning with an underscore. Example: (_sourceCategory=MyCategory).

    3. Advanced. Select the Location in Library (the default is the Personal folder in the library), or click New Folder to add a new folder.
  2. Click Add to Library.

Once an app is installed, it will appear in your Personal folder, or other folder that you specified. From here, you can share it with your organization. 

Panels will start to fill automatically. It's important to note that each panel slowly fills with data matching the time range query and received since the panel was created. Results won't immediately be available, but with a bit of time, you'll see full graphs and maps. 

Dashboard filters  

Each dashboard has a set of filters that you can apply to the entire dashboard, as shown in the following example. Click the funnel icon in the top dashboard menu bar to display a scrollable list of filters that are applied across the entire dashboard.

CB_Dashboard-filter.png

Each panel has a set of filters that are applied to the results for that panel only, as shown in the following example. Click the funnel icon in the top panel menu bar to display a list of panel-specific filters.

CB_Panel-filter.png

Carbon Black - EDR - Overview Dashboard

The Carbon Black - EDR - Overview dashboard provides a high-level view of the state of your network infrastructure and systems. The panels highlight detected threats, hosts, top feeds and IOC’s, top processes, top watchlists, and alert trends.

Use this dashboard to:

  • Monitor potential threats.
  • Determine the top processes and threat indicators.
  • Track alerts.
  • Monitor hosts, users, watchlists and feeds.

CB_Defense-Overview.png

Carbon Black - EDR - Alerts Dashboard

The Carbon Black - EDR - Alerts dashboard provides detailed information on the alerts in your environment, including alerts by mode, OS, report, and groups. The panels also show alert trends, recent alerts, and top users.

Use this dashboard to:

  • Monitor alert activity and identify spikes.
  • Monitor alerts triggered after a critical issue.
  • Track users who trigger a high number of alerts.

CB_Response-Alerts.png

Carbon Black - EDR - Feeds Dashboard

The Carbon Black - EDR - Feeds dashboard provides detailed information on total feeds, feed trends, top and recent feeds, feed comparisons, and processes related to feeds.

Use this dashboard to:

  • Monitor feed activity and identify spikes.
  • Correlate processes and feeds.
  • Compare feeds over time.

CB_Response-Feeds.png

Carbon Black - EDR - Indicators of Compromise Dashboard

The Carbon Black - EDR - Indicators of Compromise dashboard shows details on indicators of a compromised environment, as well as status for IOCs. The panels also provide an at-a-glance view of top malicious IPv4 addresses, top IOC DNSs, queries and query based feeds.

Use this dashboard to:

  • Determine the locations of attacks.
  • Track suspicious DNSs.
  • Determine which queries receive the most hits.

CB_Response-Indicators-of-Compromise.png 

Carbon Black - EDR - Network Dashboard

The Carbon Black - EDR - Network dashboard provides networking details for top protocols, local and remote ports, and unique IP addresses.

Use this dashboard to:

  • Determine the geographic location of network connections.
  • Monitor ports.
  • Review a list of CB servers.

CB_Response-Network.png 

Carbon Black - EDR - Processes Dashboard

The Carbon Black - EDR - Processes dashboard provides details on the processes that generate events.

Use this dashboard to:

  • Review processes used to modify registries and files.
  • Monitor command line processes, and top paths for processes that generate alerts.

CB_Response-Processes.png

Carbon Black - EDR - Sensors Dashboard

The Carbon Black - EDR - Sensors dashboard provides details of the sensors in your environment, such as sensor activity, trends and activity over time, and operating system.

Use this dashboard to:

  • Identify sensors that are not reporting over a specified time period.
  • Monitor sensor activity and rate spikes.

CB_Response-Sensors.png

Carbon Black - EDR - Threat Intelligence Dashboard

The Carbon Black - EDR - Threat Intelligence dashboard allows you to monitor threats on your network, categorized by feed, score, and severity. You can view recent threats, trends over time,  and hosts affected by threats.

Use this dashboard to:

  • Review threats over specified time periods.
  • Filter threats by severity to focus on high priority threats.
  • Identify hosts with the greatest number of threats.

CB_Response-Threat-Intelligence.png

Carbon Black - EDR - User and Host Alerts Dashboard

The Carbon Black - EDR - User and Host Alerts dashboard provides an at-a-glance view of user and host activity.

Use this dashboard to:

  • Monitor alert trends
  • Identify users responsible for the most alerts.
  • Monitor user activity
  • Review outbound and inbound alert activity.

CB_Response-User-and-Host-Alerts.png

Carbon Black - EDR - Watchlists Dashboard

The Carbon Black - EDR - Watchlists dashboard provides details on watchlists, including the number of watchlists, top watchlists, trends, and comparisons over time.

Use this dashboard to:

  • Identify the watchlists with the most hits in each category.
  • Monitor hits for individual watchlists and determine activity spikes.

CB_Response-Watchlists.png 

Carbon Black - Endpoint Standard - Overview Dashboard

The Carbon Black - Endpoint Standard - Overview dashboard provides a high-level view of the state of your network security, showing the number of detected threats, alerts, indicators of compromise, devices, users, and groups. The panels also highlight alert trends, top users, indicators, devices, applications, and reasons.

Use this dashboard to:

  • Quickly review your infrastructure security status.
  • Understand what areas of the infrastructure are experiencing issues.
  • Determine how the infrastructure is being utilized by taking a look at top users, applications and devices.

CB_Defense-Overview.png 

Carbon Black - Endpoint Standard - Indicators of Compromise Dashboard

The Carbon Black - Endpoint Standard - Indicators of Compromise dashboard provides an at-a-glance view of indicators of threats to a secure network by severity, application, and the number of unique instances. A breakdown of each known indicator is also shown.

Use this dashboard to:

  • Review which indicators are affecting your system.  
  • Understand how severity and the applications relate to the indicators.

CB_Defense-Indicators-of-Compromise.png

Carbon Black - Endpoint Standard - Threat Intelligence Dashboard

The Carbon Black - Endpoint Standard - Threat Intelligence dashboard provides details on the threats on your network, including the number of threats, their severity, and threat outliers. The panels also show details on the top devices affected by threats, recent threats, and a rating score of threats.

Use this dashboard to:

  • Review the threats identified in your infrastructure.
  • Investigate the threats by understanding the severity and scores of the threats.

CB_Defense-Threat-Intelligence.png

Carbon Black - Endpoint Standard - Alerts Dashboard

The Carbon Black - Endpoint Standard - Alerts dashboard provides detailed information on security-related alerts in your environment, including the number of alerts, severity, and trends over time. The panels also show information on alert policies, device operating systems (OS), and most recent alerts.

Use this dashboard to:

  • View an overall picture of all the alerts being generated.
  • Understand the classification of alerts based on different criteria, such as Severity, Policy, and Score.
  • Monitor spikes in alerts over time.

CB_Defense-Alerts.png

Carbon Black - Endpoint Standard - Device Dashboard

The Carbon Black - Endpoint Standard - Device dashboard provides a high-level view of the devices on your network, including the number of devices, geographic locations, and operating systems. The panels also show information on device groups, incidents, alert severity, and target priority.

Use this dashboard to:

  • Monitor device classification by OS, Group, and Target Priority.
  • Track the devices generating the highest number of incidents.
  • Determine the most common location of the devices generating alerts to isolate threats.

CB_Defense-Device.png