VMware Carbon Black Cloud Enterprise EDR

Samurai [Local] Collector	Samurai [Cloud] Collector	Samurai [Cloud Native] Collector

VMWare Carbon Black Cloud Enterprise EDR logs and data are collected via REST API and Streaming API.

To complete this Integration you will need to:

1) Within the VMware Carbon Black Cloud web interface

• Determine environment
• Determine Org key for API Access
• API Access

2) From the Samurai MDR portal:

• Complete the Carbon Black Cloud Enterprise EDR Integration

Determine Environment

The URL for API access appears in the address bar in a browser as follows:

https://defense-<Cloud Instance ID>.conferdeploy.net

Take note of this URL as it will be required when completing the Integration within the Samurai MDR portal.

Determine Org Key for API Access

To determine your Org Key for API Access:

1. Login to your Carbon Black Cloud instance
2. Select Settings > API Access
3. The ORG KEY is shown on the screen.

Take note of this Org Key as it will be required when completing the Integration within the Samurai MDR portal.

API Access

Use these steps to configure a custom API access level:

1. Log in to your Carbon Black Cloud Instance with an account that has the Super Admin role.
2. Click Settings > API Access
3. Go to the Access Level-tab
4. Click Add Access Level
   1. In the Name field, enter Samurai-Access
   2. Enter a description
   3. Select the following permissions
      • org.alerts Read
      • org.watchlists Read
      • device Read
      • org.search.events Create, Read
   4. Click Save

Use these steps to enable API configuration to allow Samurai to gather telemetry:

1. Click Settings > API Access

2. Click +Add API Key

3. Add a new API key with the following information:

   • In the Name field, enter Samurai-MDR
   • From the Access Level type list, select Custom
   • From Custom Access Level list, select Samurai-Access
   • Click Save

4. The API credentials are displayed

5. Use the copy button to copy the Samurai-MDR API ID and API Secret Key. Paste the information to a file clearly indicating name, API ID, and API secret key.

If you did not manage to copy the information, click the down arrow on the corresponding Samurai-MDR row and select API Credentials

You will need the API ID and API Secret key when completing the integration within the Samurai MDR portal.

Complete the VMware Carbon Black Cloud Enterprise EDR Integration

You will need:

• Environment: (the URL from Determine Environment e.g https://defense-<ENV>.conferdeploy.net)
• Organization Key: (from Determine Org Key for API Access)
• API ID: (from API Access)
• API Secret: (from API Access)

1. Login to the Samurai MDR portal
2. Click Telemetry and select Integrations from the main menu
3. Select Create
4. Locate and click Carbon Black Enterprise EDR
5. Click Next (we leverage a Samurai Cloud Collector)
6. Enter a Name of Integration
7. Enter a Description (Optional)
8. Enter your Environment
9. Enter your Organization Key
10. Enter your API ID
11. Enter your API Secret
12. Click Finish

For general information on Integrations refer to the Integrations article.

Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.