Blumira’s modern cloud SIEM integrates with VMware Carbon Black EDR (formerly Carbon Black Response) to detect cybersecurity threats and provide an automated or actionable response to remediate when a threat is detected on an endpoint.
When configured, the Blumira integration with VMware Carbon Black EDR will stream server and workstation endpoint security event logs and alerts to the Blumira service for threat detection and actionable response.
Required Blumira Module: Carbon Black Response
Before you begin
This integration requires a Blumira sensor to be installed before you can complete the steps below. Ensure that you complete the steps in Installing a Blumira sensor with Ubuntu before you continue.
To connect to the API and get alerts/events that occur based on the managed Watchlists, Blumira requires two accounts to be provisioned. Blumira only requires the API Keys and does not require you to share credentials.
Read-Write User, recommended name blumira_rw
Access Needs: Watchlist Reading/Writing/Modification
Reason: To create, update, and manage Watchlists based on Blumira guidance and experience.
Read-Only User, recommended name blumira_ro
Access Needs: Read Only
Reason: To connect to the API and get alerts/events that occur based on the managed Watchlists.
After you create these users, navigate to their profile > API Token to gather the API Token that you will need in later steps.
Configuring the Blumira module
To add a module on an existing sensor and provide credentials:
- In Blumira, click Settings.
- Click Sensors.
- Click the sensor on which you want to add a module.
- On the detail page for the sensor, scroll down and click Add Module.
- In the Add New Module window, select the newest version of this integration's module. Note: For the best stability and performance, Blumira will update the module version when old versions are deprecated.
- Enter the credentials that you gathered in the "Before you begin" section above.
- (Optional) Type a name for this log deployment in the Log Source Name box. This name is what will appear in the "device_address" column in the results of your event data queries. If you might have additional modules collect logs for different integrations in the future, this will help you distinguish them. Note: The name can only contain alphanumeric characters, periods, and hyphens; no spaces or underscores are allowed.
- Click Install.