Configuring the BlueApp for Carbon Black EDR

Role Availability Read-Only Investigator Analyst Manager

When the BlueApp for Carbon Black EDR is enabled and connected to your Carbon Black Response deployment, you can launch app actions In USM Anywhere you can execute an action from alarms, events, and vulnerabilities to run a scan, get forensic information, or execute a response for a configured BlueApp. and create orchestration rules to send data from USM Anywhere to Carbon Black Response. See BlueApp for Carbon Black EDR Actions for more information about the orchestration actions supported by the BlueApp for Carbon Black EDR.

Note: To fully integrate USM Anywhere with your Carbon Black implementation, you should also have the Carbon Black log collection enabled so that USM Anywhere can retrieve and normalize Normalization describes the translation of log file entries received from disparate types of monitored assets into the standardized framework of Event types and sub-types. raw log data from the Carbon Black applications. See Collecting Logs from Carbon Black EDR for information about raw log data retrieval.

Generate a Carbon Black API Token

Before you can use the Carbon Black orchestration actions within USM Anywhere, you must have an API token that USM Anywhere can use to connect to your Carbon Black server. Carbon Black generates this token for use by your user account.

Important: You must have global administrator privileges to generate a valid API token for integration with the BlueApp for Carbon Black EDR.

To acquire the API token for Carbon Black EDR

  1. Go to and follow the vendor instructions to generate the API token.
  2. Copy the token to be entered in USM Anywhere.

Important: If you generate a new API token or key at some point in the future, it will revoke the existing token making the connection unauthorized. Therefore, you must update the token in USM Anywhere accordingly.

Enable the API Connection

After you generate a Carbon Black API token and copy the value, you're ready to enable the BlueApp for Carbon Black EDR in USM Anywhere.

To enable the Carbon Black API connection

  1. In USM Anywhere, go to Data Sources > BlueApps.
  2. Click the Available Apps tab.
  3. Search for the BlueApp, and then click the tile.
  4. Click Configure API.
  5. If you have more than one deployed USM Anywhere Sensor, select the sensor that you want to use for the enabled BlueApp.

    BlueApps operate through a deployed sensor and use APIs to integrate with the connected third-party technology. Select the sensor that can access the integration endpoint. The HTTPS connections to the API will originate from this sensor, so it is important to make sure the sensor has network access to the BlueApp API endpoints.

  6. Specify the connection information for your Carbon Black EDR server:

  7. Click Save.
  8. Verify the connection.

    After USM Anywhere completes a successful connection to the Carbon Black EDR APIs, a icon displays in the Health column.

    If the icon displays, there is a problem with the connection. The Message column provides information about the issue. Repeat the steps to fix the configuration or troubleshoot your Carbon Black EDR connection.