Skip to main content
To fully integrate USM Anywhere with your Carbon Black EDR implementation, you should configure Carbon Black EDR to send message to USM Anywhere so that it can collect and the raw data. The combination of processing the log data and connecting the BlueApp to the Carbon Black EDR API provides a full scope of data analysis and response within USM Anywhere.

Send Carbon Black EDR Logs to the Sensor

Before configuring the log collection, you must have the IP address of the USM Anywhere Sensor. To send log data from Carbon Black EDR to USM Anywhere
  1. Install and configure the cb-event-forwarder. See the Carbon Black Event Forwarder Quickstart Guide for instructions. Events exported from Carbon Black Event Forwarder can be in JavaScript Object Notation (JSON) or Log Event Extended Format (LEEF) format.
  2. Modify the /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf file, include the following item: udpout=<USM-Anywhere-Sensor-IP-Address>:514

Assign Assets to the BlueApp

To help BlueApp for Carbon Black EDR identify the relevant logs, you must associate this app with the asset that is forwarding the logs. To assign assets to the BlueApp
  1. In USM Anywhere, go to Data Sources > BlueApps.
  2. Click the Available Apps tab.
  3. Search for the BlueApp, and then click the tile.
  4. Click Assign Asset.
  5. Search for your asset using its name or IP address, and then click Assign.
  6. If your asset is not in USM Anywhere, click Create Asset to add it.
  7. Select the method that the USM Anywhere Sensor should use to collect logs from your asset. Syslog is the default method, but USM Anywhere can also collect logs from an Amazon S3 bucket or Amazon CloudWatch.
  8. In the Format field, click the icon and select JSON from the drop-down. Events exported from Carbon Black Event Forwarder are in a normalized JSON format; therefore you must set the Format field to JSON.
I