Navigating to Workspace ONE Intelligence in TestDrive

Updated on

TestDrive's Workspace ONE Intelligence tenant is accessed through Workspace ONE UEM.   

Open a browser, go to the Workspace ONE User Portal, log in with your TestDrive account, and launch the Workspace ONE UEM admin console web app.

At the top right of the UEM console, click the username dropdown and verify your admin role is Intelligence & Tenant Administrator at TestDrive.

After the role is selected, the page will reload and you may see an admin error. This would happen if you were previously viewing a page that is unavailable with the new role.If you receive an error, simply navigate to Monitor > Intelligence. Click Launch.

Here's Intelligence's home view:

Workspace ONE Intelligence's Carbon Black Dashboard & Widgets

Workspace ONE UEM, Workspace ONE Intelligence, and Carbon Black are fully integrated products. In Workspace ONE Intelligence, because Carbon Black is integrated, it has a preconfigured dashboard. This demo flow uses the Carbon Black dashboard's widgets and a "demo" Carbon Black automation.

Go to  your Intelligence > Dashboards > Integration Dashboards > Carbon Black.

Workspace ONE Intelligence provides preset dashboard widgets for the Carbon Black integration.  

Change the data collection time to 24 hours.  Note data in all widgets updated to 12 hours with this adjustment.

Workspace ONE Intelligence Automation for Carbon Black

Workspace ONE Intelligence's automation and workflow engine allows an administrator to take action directly on the data in real time across any of the data sources, as well as take action using Workspace ONE actions via an integration with the VMware Carbon Black Cloud.

A couple of automations are staged for Carbon Black. One is available for demo and the other is set up to be illustrative in discussions. 

  • DEMO Carbon Black Threat Remediation  (used in demo)
  • DEMO Carbon Black Ransomware Threat (discussion only) 

Trigger Carbon Black Automation

Find the DEMO Carbon Black Threat Remediation automation and view it.

This preset automation will remove a per-app VPN profile on the Windows 10 desktop after Carbon Black's detection of a specific threat.

For demonstration purposes, a benign app UISpy.exe, has been pushed by Workspace ONE UEM product provisioning to your Windows machine. UISpy.exe has also been set in Carbon Black as a banned app. 

On the enrolled Windows 10 machine, attempt to launch UISpy.exe from search.

Due to the nature of threat remediation, once performed, the demo cannot be readily repeated.

...observe the instant Carbon Black Cloud Sensor notification in Windows.

In the Carbon Black Cloud (admin portal), when viewing alert triage, you can see from the event visually displayed with great detail. (Admin access to the Carbon Black Cloud portal is not available in this demo.)

Back in Workspace ONE Intelligence, Integration Dashboards >  Carbon Black...find the Carbon Black Threat Summary widget.

Click view to drill into the widget. At the bottom of the graph, select uispy.exe in the threat summary list to filter the view for those specific incidents. With the filter, you should see your recent threat detection on the timeline.

A few moments later, in the Workspace ONE UEM console, check your device's details > profiles for the removal of the WWE - Windows - Demo VPN profile.

...and back on the device, the removal of the Per App VPN profile (~ 2 min for remediation).

Before Workspace ONE Intelligence's Carbon Black threat remediation:

After threat remediation:

While a per-app VPN's exposure to the device and a corporate network is greatly reduced, the network may still act as a conduit for a threat to enter enterprise systems.  Workspace ONE Intelligence with Carbon Black has removed the Per-app Tunnel profile from the device, eliminating the threat's chance to spread to internal systems. 

DEMO Carbon Black Ransomware Threat (Discussion Only)

Select Automations on the left menu bar. Find the "STAGED Carbon Black Ransomware Threat Detected" automation and view it.

This particular sample automation is set to:

  • Send Slack message to admin channel
  • Create ServiceNow ticket
  • Tag the device in UEM

Device Deployment

Devices and apps are managed using Workspace ONE UEM. Workspace ONE UEM all but eliminates administrative overhead by installing the Carbon Black Cloud Sensor app (agent) on your Windows 10 device. Devices enrolled in TestDrive UEM's Enterprise - Corporate Owned Demo OG will have the appropriate sensor app automatically installed.

Log in to TestDrive's Workspace ONE UEM console. Use your Device Administrator at World Wide Enterprises admin role.

Next, validate the Carbon Black Cloud Sensor app is successfully installed on the device. Drill into your device and go toApps.

Carbon Black Cloud Sensor (Windows 10) should look like this.

If the Carbon Black Cloud Sensor is not installed, chances are that a system update or higher system process may have prevented it from initially installing.  You can push the installation from the UEM console again.

Device view:

Workspace ONE Intelligence with Carbon Black Availability

VMware Workspace ONE Intelligence with Carbon Black capabilities is available to Workspace ONE customers who have Workspace ONE Intelligence.  Workspace Intelligence is available in Workspace ONE Enterprise, Workspace ONE Enterprise for VDI, and as an add-on to Workspace ONE on-premises editions.