Back Arrow Back to All Integrations

VMware Carbon Black Managed Defense

VMware Carbon Black Managed Defense

VMware Carbon Black Managed Defense Integration

Blumira’s modern SIEM platform integrates with VMware Carbon Black’s Managed Defense to detect cybersecurity threats and provide an automated or actionable response to remediate when a threat is detected on an endpoint.

 

Once configured, Blumira’s integration with VMware Carbon Black’s Managed Defense will stream server and workstation endpoint security event logs and alerts to the Blumira service for threat detection and actionable response.

Required Blumira Module: Carbon Black Defense

Configuring VMware Carbon Black Managed Defense

You will need to login to Carbon Black to configure a Carbon Black Connector found at Settings > Connectors from the Carbon Black Dashboard

Next, create a connector by clicking “Add Connector”. Select “SIEM” on the connector type dropdown. Leave the Authorized IP window blank and a description if you’d like. Click “Add”

Sending Notifications

While in Carbon Black Defense, you’ll need to configure a Notifications module. This will determine what type of Carbon Black logs are sent to the Blumira sensor.

Navigate to Settings > Notifications to configure. We recommend creating 3 separate Notifications. Below are three recommended with their settings.

1. Name: Blumira All Policies
Select “Alert crosses a threshold”
Select both Threat and Observed
Modify Alert Severity to 1
Select in “All Policies”
In the API Key Field, start typing your previously created key name and it will auto-fill the name with a drop down menu. Click the previously created key name.

Click “Add”

2. Name: Blumira Deny Policy

NOTE: Skip to Blumira Threat Hunter Policy, if you do not have the “Policy Action is enforced” option

Select “Policy Action is Enforced”
Select “Deny”
Select in “All Policies”
In the API Key Field, start typing your previously created key name and it will auto-fill the name with a drop down menu. Click the previously created key name.

Click “Add”

3. Name: Blumira Terminate Policy

NOTE: Skip to Blumira Threat Hunter Policy, if you do not have the “Policy Action is enforced” option

Select “Policy Action is Enforced”
Select “Terminated”
Select in “All Policies”
In the API Key Field, start typing your previously created key name and it will auto-fill the name with a drop down menu. Click the previously created key name.

Click “Add”

4. Name: Blumira Threat Hunter Policy

NOTE: Skip this Policy if you do not have Threat Hunter

Select “Watchlist gets a hit”
Select All Watchlists
Modify Alert Severity to 1
Select All Policies
In the API Key Field, start typing your previously created key name and it will auto-fill the name with a drop down menu. Click the previously created key name.

Click “Add”

You’ve now completed the Carbon Black Defense portion of this Module setup.

Blumira Sensor Module Configuration

You’ll now want to navigate to your Blumira sensor setup at app.Blumira.com > Infrastructure > Sensors > “Your Sensor Name” and select “Add Module” on the right side of the screen:

Log Source Name: can be anything you’d like the “Logging Device” name to appear as on the Sensor screen.

API host will be determined by the URL of your Carbon Black dashboard. Find out which “API host” by using the correct API URL that your company uses below.



SIEM API Key
is the “API Secret Key” Carbon Black has provided you on their API Credentials screen.

Connector ID is the “API ID” Carbon Black has provided you on their API Credentials screen.

You can find the key and connector ID in Carbon Black by navigating to Settings > API Access and clicking the drop down arrow of the relevant collector. View screenshots below:


Click Create and you’re all set! To confirm logs are successfully flowing, you should see the Logging Device pop up in the Logging Devices section on the Sensor page after a few minutes.