Required Blumira Module: Carbon Black Defense

Integrating with VMware Carbon Black Managed Defense

Before you begin

To configure a Carbon Black connector, you will need to gather these credentials from Carbon Black:

• API Host
• App ID
• API Secret Key

The API Host value is determined by the URL of your Carbon Black dashboard. Find your “API host” by using the correct API URL that your company uses below. Note: Do not include “https://” in the API host entry. Only the domain details are needed (e.g., api-prod05.conferdeploy.net).

You can view your API Secret Key and API ID in Carbon Black by navigating to Settings > API Access and clicking the drop down arrow next to the relevant collector. In API Credentials, copy and save the API ID and API Secret Key for use in later steps.

To create a new API Key, if one does not already exist:

1. In Carbon Black, navigate to Dashboard > Settings > API Access.
2. Click Add API Key.
3. Enter a Name for the API Key.
4. In Access level, select SIEM from the dropdown list.
5. Under Authorized IP addresses enter the static WAN IP that your Blumira sensor uses when reaching out to the internet.
   Important: If you do not use a public static IP for your business, leave the field blank to avoid errors.
6. Click Save.
   

Configuring Notification policies

While in Carbon Black Defense, you must also configure Notification policies, which determine the Carbon Black logs that are sent to the Blumira sensor.

Navigate to Settings > Notifications to add each new Notification policy. Below are the policies we recommend, with their settings.

1. Name: Blumira All Policies
   1. Select Alert crosses a threshold.
   2. Under When do you want to be notified? select both Threat and Observed.
   3. Change Alert Severity to 1.
   4. In Policy, select All Policies.
   5. In the API Key Field, search for and select your previously created key name.
   6. Click Add.
      
2. Name: Blumira Deny Policy
   NOTE: Skip to Blumira Threat Hunter Policy, if you do not have the “Policy Action is enforced” option.
   1. Under When do you want to be notified, select Policy Action is Enforced > Deny.
   2. Under Policy, select All Policies.
   3. In the API Key Field, search for and select your previously created key name.
   4. Click Add.
      
3. Name: Blumira Terminate Policy
   NOTE: Skip to Blumira Threat Hunter Policy, if you do not have the “Policy Action is enforced” option.
   1. Under When do you want to be notified, select Policy Action is Enforced > Terminated.
   2. Under Policy, select All Policies.
   3. In the API Key Field, search for and select your previously created key name.
   4. Click Add.
      
4. Name: Blumira Threat Hunter Policy
   Note: Skip this Policy if you do not have Threat Hunter.
   1. Under When do you want to be notified, select All Watchlists.
   2. Change Alert Severity to 1.
   3. Select All Policies.
   4. In the API Key Field, search for and select your previously created key name.
   5. Click Add.
      

Now you have completed the Carbon Black Defense portion of this Module setup.

Blumira Sensor Module Configuration

To add a module on an existing sensor and provide credentials:

1. In Blumira, click Settings.
2. Click Sensors.
3. Click the sensor on which you want to add a module.
4. On the detail page for the sensor, scroll down and click Add Module.
5. In the Add New Module window, select the newest version of this integration’s module. Note: For the best stability and performance, Blumira will update the module version when old versions are deprecated.
6. Enter the credentials that you gathered in the “Before you begin” section above.
7. (Optional) Type a name for this log deployment in the Log Source Name box. This name is what will appear in the “device_address” column in the results of your event data queries. If you might have additional modules collect logs for different integrations in the future, this will help you distinguish them. Note: The name can only contain alphanumeric characters, periods, and hyphens; no spaces or underscores are allowed.
8. Click Install.