VMware Carbon Black Cloud Enterprise EDR

Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai Help Center and we shall get it updated.

Product	Samurai [Local] Collector	Samurai [Cloud] Collector
VMware Carbon Black Cloud Enterprise EDR

VMWare Carbon Black Cloud Enterprise EDR logs and data are collected via REST API and Streaming API.

To complete this Integration you will need to:

1) Within the VMware Carbon Black Cloud web interface

• Determine environment
• Determine Org key for API Access
• API Access

2) From the Samurai application:

• Complete the Carbon Black Cloud Enterprise EDR Integration

Determine Environment

The URL for API access appears in the address bar in a browser as follows:

https://defense-<Cloud Instance ID>.conferdeploy.net

Take note of this URL as it will be required when completing the Integration within the Samurai MDR application.

Determine Org Key for API Access

To determine your Org Key for API Access:

1. Login to your Carbon Black Cloud instance
2. Select Settings > API Access
3. The ORG KEY  is shown on the screen.

Take note of this Org Key as it will be required when completing the Integration within the Samurai MDR application.

API Access

Use these steps to configure a custom API access level:

1. Log in to your Carbon Black Cloud Instance with an account that has the Super Admin role.
2. Click Settings > API Access
3. Go to the Access Level tab
4. Click Add Access Level
   1. In the Name field, enter Samurai-Access
   2. Enter a description
   3. Select the following permissions 
      1. org.alerts Read
      2. device Read
      3. org.search.events Read
      4. device.quarantine Execute (Optional, for Remote Isolation)
   4. Click Save

Use these steps to enable API configuration to allow Samurai to gather telemetry:

1. Click Settings > API Access
2. Click + Add API Key
3. Add a new API key with the following information:
   • In the Name field, enter Samurai-MDR
   • From the Access Level type list, select Custom
   • From Custom Access Level list, select Samurai-Access
   • Click Save

4. The API credentials are displayed

5. Use the copy button to copy the Samurai-MDR API ID and API Secret Key. Paste the information to a file clearly indicating name, API ID, and API secret key.

If you did not manage to copy the information, click the down arrow on the corresponding Samurai-MDR row and select API Credentials

You will need the API ID and API Secret key when completing the integration within the Samurai MDR application.

Complete the VMware Carbon Black Cloud Enterprise EDR Integration

You will need:

• Devicename: (arbitrary name)
• Environment: (the URL from Determine Environment e.g https://defense-<ENV>.conferdeploy.net)
• Organization Key: (from Determine Org Key for API Access)
• API ID: (from API Access)
• API Secret:  (from API Access)

1. Login to the Samurai MDR web application
2. Select Integrations
3. Select Create
4. Locate and click Carbon Black Enterprise EDR
5. Click Next (we leverage a Samurai Cloud Collector)
6. Enter a Name of Integration
7. Enter a Description (Optional)
8. Enter your Devicename
9. Enter your Environment
10. Enter your Organization Key
11. Enter your API ID
12. Enter your API Secret
13. Click Finish

For general information on Integrations refer to the Integrations article.