It’s easy to configure a Blumira sensor to connect your environment to the Blumira platform to start collecting logs and detecting threats. Customers can configure multiple sensors as needed.
The sensor integrates with third-party products such as firewalls, identity services, endpoint detection tools and cloud infrastructure and collects logs as part of the Blumira service.
Step 1: Logs are sent to Blumira’s sensor
Step 2: Blumira’s sensor parses the logs
Step 3: Parsed logs are sent to Blumira’s cloud service over port 443
Step 4: Threat intelligence is correlated to logs
Step 5: Blumira’s rule-based detections trigger a response
Step 6: Threat hunting triggers a response
Step 7A: An automated response is taken by Blumira
Step 7B: Blumira’s platform notifies the customer, providing a playbook on what actions to take in response
Step 8: Customer follows playbook steps and initiates/completes response
Note: It is recommended that you run update processes on the host (i.e., sudo apt-get update && sudo apt-get upgrade; ideally followed by a reboot) before installing the sensor, in order to ensure initial system state is current. You should be installing the sensor on an Ubuntu server or VM which meets minimum system requirements, as outlined in the document: “How to Build a Sensor Environment on Ubuntu”
Log in to the Blumira web application at https://app.blumira.com.
(1) On the left menu, click the Infrastructure button, then click on Locations in the submenu.
Verify that the location where you will be installing the sensor is in the list of locations. Add a new location if not. It is very important that the timezone set on the location is correct and matches the local timezone used in the log data sent to the sensor at that location. Blumira currently uses this to determine the correct time of incoming logs.
(2) Next, click on Sensors in the Infrastructure submenu to begin adding a sensor.
(3) Click on Add New Sensor.
(4) Enter a unique sensor name (no spaces allowed) in the Name field;
(5) Enter an optional, recommended, description of where you are installing the sensor image and any other notes about it. This will be displayed on the sensor detail page, after you start installation.
(6) Normally, an email with the link to install the sensor is emailed to everyone with administrator role in your Blumira org, but if you check the “Email sensor installation link only to me” button, the install script email goes only to you.
(7) Choose a location from the pull-down menu (reminder: the chosen location’s time zone must match what time zone logs are generally sent with to the sensor; currently, this is what Blumira uses to normalize timestamps on logs).
(5) Click Install. Currently, the install button becomes non-clickable and it appears that the window freezes, for up to a minute. Do not refresh your page. Once the window closes, two things will happen:
The sensor detail page for the sensor you added should render and will look similar to the below image (Note: the red circle in the top left turns green a few minutes after the sensor has been installed and able to successfully connect to Blumira):
Note: the Logging Devices table will be empty, and the module table will only list the latest version of the Logger Module.
(6) Wait a minute or two for the sensor install email, and follow those instructions to install it on your chosen machine/VM.
(7) If the install script completes without ending in an error, there will be a docker container running on your host, which contains the sensor stack.
(8) In about five or ten minutes you should be able to refresh the sensor page, have the dot turn green, and the host details in the Overview section populated.
Although we support running the Blumira sensor on a few operating systems, we primarily recommend, and currently strongly suggest, using Ubuntu 18.04.x on x86_64 architecture. You can install the operating system on a bare metal machine or on a virtual machine.
Detailed installation instructions are in a separate document “How to Build a Sensor Environment on Ubuntu.”
Key points are:
You should receive an email with a script that will download the new sensor image and run it.
Remember to run sudo apt-get update && sudo apt-get upgrade before copying and pasting the command into your terminal.
Use an SSH client such as PuTTY to connect to the Ubuntu machine that you just installed.
Copy and paste the script from the Linux section of the email into the terminal. The script is just one long line. It may wrap on multiple lines in your email client, but it should pasted into the terminal as one line.