VMware Carbon Black Cloud Enterprise EDR

Samurai [Local] Collector	Samurai [Cloud] Collector

VMWare Carbon Black Cloud Enterprise EDR logs and data are collected via REST API and Streaming API.

To complete this Integration you will need to:

1) Within the VMware Carbon Black Cloud web interface

Determine environment
Determine Org key for API Access
API Access

2) From the Samurai MDR portal:

Complete the Carbon Black Cloud Enterprise EDR Integration

Determine Environment

The URL for API access appears in the address bar in a browser as follows:

https://defense-<Cloud Instance ID>.conferdeploy.net

Take note of this URL as it will be required when completing the Integration within the Samurai MDR portal.

Determine Org Key for API Access

To determine your Org Key for API Access:

Login to your Carbon Black Cloud instance
Select Settings > API Access
The ORG KEY is shown on the screen.

Take note of this Org Key as it will be required when completing the Integration within the Samurai MDR portal.

API Access

Use these steps to configure a custom API access level:

Log in to your Carbon Black Cloud Instance with an account that has the Super Admin role.
Click Settings > API Access
Go to the Access Level-tab
Click Add Access Level
1. In the Name field, enter Samurai-Access
2. Enter a description
3. Select the following permissions
  - org.alerts Read
  - org.watchlists Read
  - device Read
  - org.search.events Create, Read
4. Click Save

Use these steps to enable API configuration to allow Samurai to gather telemetry:

Click Settings > API Access
Click +Add API Key
Add a new API key with the following information:
- In the Name field, enter Samurai-MDR
- From the Access Level type list, select Custom
- From Custom Access Level list, select Samurai-Access
- Click Save
The API credentials are displayed
Use the copy button to copy the Samurai-MDR API ID and API Secret Key. Paste the information to a file clearly indicating name, API ID, and API secret key.

If you did not manage to copy the information, click the down arrow on the corresponding Samurai-MDR row and select API Credentials

You will need the API ID and API Secret key when completing the integration within the Samurai MDR portal.

Complete the VMware Carbon Black Cloud Enterprise EDR Integration

You will need:

Environment: (the URL from Determine Environment e.g https://defense-<ENV>.conferdeploy.net)
Organization Key: (from Determine Org Key for API Access)
API ID: (from API Access)
API Secret: (from API Access)

Login to the Samurai MDR portal
Click Telemetry and select Integrations from the main menu
Select Create
Locate and click Carbon Black Enterprise EDR
Click Next (we leverage a Samurai Cloud Collector)
Enter a Name of Integration
Enter a Description (Optional)
Enter your Environment
Enter your Organization Key
Enter your API ID
Enter your API Secret
Click Finish

Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.