VMware
Technology
Cloud Management and Automation
VMware Carbon Black EDR Advanced Administrator (VCBEDRAA)

This one-day course teaches you how to use the advanced features of the VMware Carbon Black® EDR™ product. This usage includes gaining access to the Linux server for management and troubleshooting in addition to configuring integrations and using the API. This course provides an in-depth, technical understanding of the Carbon Black EDR product through comprehensive coursework and hands-on scenario-based labs. This class focuses exclusively on advanced technical topics related to the technical back-end configuration and maintenance.

About the course

Prerequisites:

 This course requires completion of the following course:

  • VMware Carbon Black EDR Administrator

Course Objectives:

Upon completing this course, the learner will be able to meet these overall objectives:   

  • Describe the components and capabilities of the Carbon Black EDR server
  • Identify the architecture and data flows for Carbon Black EDR communication
  • Identify the architecture for a cluster configuration and Carbon Black EDR cluster communication
  • Describe the Carbon Black EDR server data types and data locations
  • Use the API to interact with the Carbon Black EDR server without using the UI
  • Create custom threat feeds for use in the Carbon Black EDR server
  • Perform the integration with a syslog server
  • Use different server-side scripts for troubleshooting
  • Troubleshoot sensor-side configurations and communication
Course content

Module 1: Course Introduction

  • Introductions and course logistics
  • Course objectives

Module 2: Architecture

  • Data flows and channels
  • Sizing considerations
  • Communication channels and ports

Module 3: Server Datastores

  • SOLR database
  • Storage configurations and data aging
  • Partition states
  • Postgres
  • Modulestore

Module 4: EDR API

  • CBAPI overview
  • Viewing API calls in the browser
  • Utilizing the API to access data

Module 5: Threat Intelligence Feeds

  • Feed structure
  • Report indicator types
  • Custom threat feed creation and addition

Module 6: Syslog Integration

  • SIEM support
  • Configuration

Module 7: Troubleshooting

  • Server-side scripts
  • Server logs
  • Sensor operations
Who Should Attend

The primary audience for this course is as follows:

  • System administrators and security operations personnel, including analysts and managers