Integrating VMware Carbon Black Response With Blumira
While Carbon Black Response (CBR) does have the ability to send syslog from the local appliance, the API is the best method for data coverage out of the application. Once you have a Sensor running (see Adding a sensor in the Blumira app) with the Logger module, you can proceed with CBR Module setup.
Adding API User to Carbon Black Response
To connect to the CBR API and get alerts/events that occur based off of the managed Watchlists, Blumira requires two accounts to be provisioned. Blumira only requires the API Keys, Blumira does not require credentials to be directly shared.
- Read-Write User, recommended name blumira_rw
Access Needs: Watchlist Reading/Writing/Modification
Reason: To create, update, and manage Watchlists based off of Blumira guidance and experience
- Read-Only User, recommended name blumira_ro
Access Needs: Read Only
Reason: To connect to the CBR API and get alerts/events that occur based off of the managed Watchlists
Once these users are created, go to their profile and API Token area to gather the API Token that you will need in later steps.
Adding Data Source
1. If the Sensor is already created, select the far right edit button and click View Detail.
2. Once the flyout for your Sensor opens, click Add a module, which will then open the Module selection screen. Select the latest version of the Carbon Black Response Module, the current version as of last update of this article was 1.0.0.
3. After selecting the latest version, you will be presented with a form to enter the API Host, Read/write API Key, and Read-only API Key. From the previous steps, you should have these three pieces of information, input them into their respective fields and click Create. API Host should be the address of your CBR server, it must be accessible over 443 from the Sensor.
4. All set! Blumira will deploy the module with the defined details and poll the CBR API regularly to look for events that occur within the environment.