Overview
Blumira’s modern SIEM platform integrates with VMware Carbon Black Cloud Endpoint Standard (formerly Carbon Black Defense) to detect cybersecurity threats and provide an automated or actionable response to remediate when a threat is detected on an endpoint.
Once configured, Blumira’s integration with VMware Carbon Black Cloud Endpoint Standard will stream server and workstation endpoint security event logs and alerts to the Blumira service for threat detection and actionable response.
Required Blumira Module: Carbon Black Defense
Before you begin
This integration requires a Blumira sensor to be installed before you can complete the steps below. Ensure that you complete the steps in Building a Blumira sensor with Ubuntu before you continue.
Next, gather these credentials from Carbon Black to be used in later steps:
- API Host
- App ID
- API Secret Key
The API Host value is determined by your Carbon Black Dashboard URL. Refer to the table in Carbon Black Cloud: What URLs are used to access the APIs? Note: When entering the value in Blumira, do not include “https://” in the API host entry.
To gather your API ID and Secret Key in Carbon Black:
- Navigate to Settings > API Access.
- Click the dropdown arrow next to the relevant collector.
- In the API Credentials window, copy and save the API ID and API Secret Key.
If need to create a new API Key:
- In Carbon Black, navigate to Dashboard > Settings > API Access.
- Click Add API Key.
- In the Name box, type a name for the API Key.
- In Access level, select SIEM from the dropdown list.
- In the Authorized IP addresses box, type the IP address of your Blumira sensor.
Important: If you do not use a public static IP for your business, leave the field blank to avoid errors. - Click Save.
Configuring Notification policies
While in Carbon Black Cloud Endpoint, you must also configure Notification policies, which determine the Carbon Black logs that are sent to the Blumira sensor.
Navigate to Settings > Notifications to add each new Notification policy. Below are the policies we recommend, with their settings.
- Name: Blumira All Policies
-
Name: Blumira Deny Policy
Note: Skip to Blumira Threat Hunter Policy, if you do not have the “Policy Action is enforced” option. -
Name: Blumira Terminate Policy
NOTE: Skip to Blumira Threat Hunter Policy, if you do not have the “Policy Action is enforced” option. -
Name: Blumira Threat Hunter Policy
Note: Skip this Policy if you do not have Threat Hunter.
Configuring the Blumira module
To add a module on an existing sensor and provide credentials:
- In Blumira, click Settings.
- Click Sensors.
- Click the sensor on which you want to add a module.
- On the detail page for the sensor, scroll down and click Add Module.
- In the Add New Module window, select the newest version of this integration's module. Note: For the best stability and performance, Blumira will update the module version when old versions are deprecated.
- Enter the credentials that you gathered in the "Before you begin" section above.
- (Optional) Type a name for this log deployment in the Log Source Name box. This name is what will appear in the "device_address" column in the results of your event data queries. If you might have additional modules collect logs for different integrations in the future, this will help you distinguish them. Note: The name can only contain alphanumeric characters, periods, and hyphens; no spaces or underscores are allowed.
- Click Install.