fbpx
Back Arrow Back to All Integrations

Create a Blumira Sensor

How to Create a Blumira Sensor

It’s easy to configure a Blumira sensor to connect your environment to the Blumira platform to start collecting logs and detecting threats. Customers can configure multiple sensors as needed.

The sensor integrates with third-party products such as firewalls, identity services, endpoint detection tools and cloud infrastructure and collects logs as part of the Blumira service.

Blumira Sensor Network Diagram

 

Step 1: Logs are sent to Blumira’s sensor

Step 2: Blumira’s sensor parses the logs

Step 3: Parsed logs are sent to Blumira’s cloud service over port 443

Step 4: Threat intelligence is correlated to logs

Step 5: Blumira’s rule-based detections trigger a response

Step 6: Threat hunting triggers a response

Step 7A: An automated response is taken by Blumira

Step 7B: Blumira’s platform notifies the customer, providing a playbook on what actions to take in response

Step 8: Customer follows playbook steps and initiates/completes response

 

Get a Free Cloud SIEM Trial

Try out Blumira’s automated detection & response platform for free and deploy a cloud SIEM in hours.

 

Free Trial

Configuration Instructions

Configuring a Sensor in the Blumira App

Note: It is recommended that you run update processes on the host (i.e., sudo apt-get update && sudo apt-get upgrade; ideally followed by a reboot) before installing the sensor, in order to ensure initial system state is current. You should be installing the sensor on an Ubuntu server or VM which meets minimum system requirements, as outlined in the document: “How to Build a Sensor Environment on Ubuntu”

Log in to the Blumira web application at https://app.blumira.com.

(1) On the left menu, click the Infrastructure button, then click on Locations in the submenu.

Verify that the location where you will be installing the sensor is in the list of locations. Add a new location if not.

(2) Next, click on Sensors in the Infrastructure submenu to begin adding a sensor.

(3) Click on Add New Sensor.

(4) Enter a unique sensor name (no spaces allowed) in the Name field;

(5) Enter an optional, recommended, description of where you are installing the sensor image and any other notes about it. This will be displayed on the sensor detail page, after you start installation.

(6) Normally, an email with the link to install the sensor is emailed to everyone with administrator role in your Blumira org, but if you check the “Email sensor installation link only to me” button, the install script email goes only to you.

(7) Choose a location from the pull-down menu (reminder: the chosen location’s time zone must match what time zone logs are generally sent with to the sensor; currently, this is what Blumira uses to normalize timestamps on logs).

(8) Click Install. Currently, the install button becomes non-clickable and it appears that the window freezes, for up to a minute. Do not refresh your page. Once the window closes, two things will happen:

  • The page will refresh, showing that the sensor is now created in our system. Its name and description will be near the top of the page.
  • A minute or two later, you should receive an email with install instructions.

The sensor detail page for the sensor you added should render and will look similar to the below image (Note: the red circle in the top left turns green a few minutes after the sensor has been installed and able to successfully connect to Blumira):

Note: the Logging Devices table will be empty, and the module table will only list the latest version of the Logger Module.

(9) Wait a minute or two for the sensor install email, and follow those instructions to install it on your chosen machine/VM.

(10) If the install script completes without ending in an error, there will be a docker container running on your host, which contains the sensor stack.

(11) In about five or ten minutes you should be able to refresh the sensor page, have the dot turn green, and the host details in the Overview section populated.

Installing the Host Operating System

Ubuntu 18.04 (x86_64)

Although we support running the Blumira sensor on a few operating systems, we primarily recommend, and currently strongly suggest, using Ubuntu 18.04.x on x86_64 architecture. You can install the operating system on a bare metal machine or on a virtual machine.

Detailed installation instructions are in a separate document “How to Build a Sensor Environment on Ubuntu.”

Key points are:

  • For the network interface, configure a static IP address so that you can send logs to it without risking the address changing.
  • For disk layout, use LVM. Make sure the LVM partition spans to the end of the disk, leaving no free space.
  • For optional extra components, choose Docker.
  • Point the NTP configuration to a company-internal time server if available, otherwise allow it to access the Ubuntu NTP pool through your firewall.

Installing the Sensor on the Host

You should receive an email with a script that will download the new sensor image and run it.

Ubuntu 18.04 (x86_64)

Remember to run sudo apt-get update && sudo apt-get upgrade before copying and pasting the command into your terminal.

Use an SSH client such as PuTTY to connect to the Ubuntu machine that you just installed.

Copy and paste the script from the Linux section of the email into the terminal. The script is just one long line. It may wrap on multiple lines in your email client, but it should pasted into the terminal as one line.

Get a Free Cloud SIEM Trial

Try out Blumira’s automated detection & response platform for free and deploy a cloud SIEM in hours.

Free Trial