Accenture MxDR Quick Start Guide for AER Access in Carbon Black
The following guide will provide you with instructions to setup the Accenture MxDR Carbon Black service.
 The document includes the following topics:
Managed Extended Detection Response (MxDR) Introduction
Managed Extended Detection Response (MxDR) Overview
Pre-Installation Questionnaire (PIQ)
IntroductionÂ
The Accenture Managed Extended Detection Reponse (MxDR) service delivers visibility and response, where Accenture SOC analysts action suspicious threat activities and find emerging and unknown threats across on-premises and cloud endpoints using forensics data coupled with machine learning analytics and the Accenture Global Intelligence Network. MxDR allows for close collaboration and seamless handoff of incident intelligence and helps to prioritize efforts and relieve security teams of valuable time and effort that would have been spent investigating incident alerts and detecting and responding to advanced attacks.
Overview
 The Carbon Black MxDR service has three primary components:
Log Collection Platform (LCP)
Carbon Black Cloud Console
Endpoint Management
Log Collection Platform (LCP)Â
The Log Collection Platform (LCP) is designed to collect, compress, and send your log data securely to Accenture MxDR. The LCP is deployed in the Accenture Security Cloud and pulls the data directly from Carbon Black’s Cloud via API (application programming interfaces).
 Note: No client hardware or network access is needed.
Carbon Black Cloud
 The Carbon Black Cloud Console will be co-managed by Accenture MxDR for shared services with client. After signing-up for the service, client’s will be provided with an Authorization Form for Access to Carbon Black Hosts by MSP (Managed Service Provided) Personnel which will need to be provided to Carbon Black. This will grant Accenture MxDR access to the client’s Carbon Black data.
Topology
Existing Accenture clients who currently own Carbon Black will be moved under the Accenture MxDR CID (Customer ID) in a coordinated manner
New Carbon Black clients will be deployed under the Accenture MxDR CID
Each CID has a stand-alone Splunk backend for data isolation purposes
Access ControlÂ
Accenture will be granted access to the client’s Carbon Black Cloud portal after a MSSP Authorization Form is submitted to VMWare
Accounts for Accenture will be housed at the Accenture MxDR CID
User permissions in the Accenture MxDR CID will extend to all client CIDs
Accenture MxDR analyst accounts and access will be managed by Accenture MxDR
Access and entitlements for clients will be managed in their respective CIDs and will allow the choice of the existing Carbon Black roles
 Permissions
Accenture will use two custom roles to access the client’s CID
MxDR – Sr. Analyst | GIO Analyst
Senior and Principal Analysts responsible for response and detection management
MxDR – Analyst
Responsible for investigations and isolation
 Event Data and Detections
 Detections
Detections will flow from the client CIDs into the Accenture MxDR CID
Detections can be managed by either Accenture MxDR or the client
 Raw event data
Endpoint data will be housed and stored in each client environment and will only be searchable across the CIDs that house it
Accenture MxDR analysts will be able to search client Endpoint Activity data by pivoting into the respective CID
 SIEM (Security Information Event Management) Connections for Detections
Accenture will consume detection data directly from each respective client CID
Policy Management
Accenture MxDR will have access to policy management, but clients will handle managing these policies. Unless pre-authorized to do so, Accenture MxDR will not update policies.
 Endpoint Management
 Carbon Black Endpoint Standard agent installation and management are the responsibility of the client. If applicable, remediation is performed by MxDR analysts via the Carbon Black Cloud Console.
 Pre-Installation Questionnaire (PIQ)
The pre-installation questionnaire (PIQ) is used to capture device and network details from your environment to begin the onboarding process. The PIQ requires information about the network ranges eligible for pre-authorized containment if applicable, how you will deploy the agent, and information about your current environment.
 An Accenture MxDR Engineer will supply the PIQ for the client to complete via email or Service Request within the MxDR portal.
The client is expected to complete the PIQ and return it to the MxDR Engineer for processing.
Complete and return the PIQ – If remediation is authorized, the network range(s) of the hosts authorized for remediation must be defined in proper section of PIQ.
 FAQ (Frequently Asked Question)
 Will Accenture MxDR handle deployment of Carbon Black agents to new clients?
No. Accenture MxDR will have co-management access to Carbon Black Cloud console to supply MxDR service, but this will not include deployment of agents.
 Will Accenture MxDR update the Carbon Black agent configurations?
We will update the Endpoint Detection & Response (EDR) policy (blacklist, whitelist, etc.) if authorized. We will not update the endpoint policies (AV signatures, firewall rules, etc.).
Â
Legal Notice
Copyright © 2021 Accenture. All rights reserved.
Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.