Blumira’s modern cloud SIEM integrates with VMware’s Carbon Black Response to detect cybersecurity threats and provide an automated or actionable response to remediate when a threat is detected on an endpoint.
When configured, the Blumira integration with VMware Carbon Black Response will stream server and workstation endpoint security event logs and alerts to the Blumira service for threat detection and actionable response.
Required Blumira Module: Carbon Black Response
While Carbon Black Response (CBR) does have the ability to send syslog from the local appliance, the API is the best method for data coverage out of the application. Once you have a Sensor running (How to Create a Blumira Sensor) with the Logger module, you can proceed with CBR Module setup.
To connect to the CBR API and get alerts/events that occur based off of the managed Watchlists, Blumira requires two accounts to be provisioned. Blumira only requires the API Keys, Blumira does not require credentials to be directly shared.
Once these users are created, go to their profile and API Token area to gather the API Token that you will need in later steps.
1. If the Sensor is already created, select the far right edit button and click View Detail.
2. Once the flyout for your Sensor opens, click Add a module, which will then open the Module selection screen. Select the latest version of the Carbon Black Response Module, the current version as of last update of this article was 1.0.0.
3. After selecting the latest version, you will be presented with a form to enter the API Host, Read/write API Key, and Read-only API Key. From the previous steps, you should have these three pieces of information, input them into their respective fields and click Create. API Host should be the address of your CBR server, it must be accessible over 443 from the Sensor.
4. All set! Blumira will deploy the module with the defined details and poll the CBR API regularly to look for events that occur within the environment.