When the BlueApp for Carbon Black EDR is enabled and connected to your Carbon Black Response deployment, you can launch app actions In USM Anywhere you can execute an action from alarms, events, and vulnerabilities to run a scan, get forensic information, or execute a response for a configured BlueApp. and create orchestration rules to send data from USM Anywhere to Carbon Black Response. See BlueApp for Carbon Black EDR Actions for more information about the orchestration actions supported by the BlueApp for Carbon Black EDR.

Note: To fully integrate USM Anywhere with your Carbon Black implementation, you should also have the Carbon Black log collection enabled so that USM Anywhere can retrieve and normalize Normalization describes the translation of log file entries received from disparate types of monitored assets into the standardized framework of Event types and sub-types. raw log data from the Carbon Black applications. See Collecting Logs from Carbon Black EDR for information about raw log data retrieval.

Generate a Carbon Black API Token

Before you can use the Carbon Black orchestration actions within USM Anywhere, you must have an API token that USM Anywhere can use to connect to your Carbon Black server. Carbon Black generates this token for use by your user account.

To acquire the API token for Carbon Black EDR

1. Go to https://developer.carbonblack.com/reference/enterprise-response/authentication/ and follow the vendor instructions to generate the API token.
2. Copy the token to be entered in USM Anywhere.

Enable the API Connection

After you generate a Carbon Black API token and copy the value, you're ready to enable the BlueApp for Carbon Black EDR in USM Anywhere.

To enable the Carbon Black API connection

1. In USM Anywhere, go to Data Sources > BlueApps.
2. Click the Available Apps tab.
3. Search for the BlueApp, and then click the tile.
4. Click Configure API.

5. If you have more than one deployed USM Anywhere Sensor, select the sensor that you want to use for the enabled BlueApp.

   BlueApps operate through a deployed sensor and use APIs to integrate with the connected third-party technology. Select the sensor that can access the integration endpoint. The HTTPS connections to the API will originate from this sensor, so it is important to make sure the sensor has network access to the BlueApp API endpoints.

6. Specify the connection information for your Carbon Black EDR server:

   • Server address: Enter the IP address or hostname of your Carbon Black EDR server.
   • API token: Click Change API token and enter the API token created in Carbon Black EDR.
   • (Optional.) Custom Certificate Authority Public Certificate: If you want to use a security certificate for the authentication, select the checkbox and add your certificate to establish a trusted Secure Sockets Layer (SSL Protocol used for transmitting private documents through the Internet. SSL works by using a public key to encrypt data that's transferred over the SSL connection. See also transport layer security.) connection between your Carbon Black EDR server and USM Anywhere.
7. Click Save.

8. Verify the connection.

   After USM Anywhere completes a successful connection to the Carbon Black EDR APIs, a icon displays in the Health column.

   If the icon displays, there is a problem with the connection. The Message column provides information about the issue. Repeat the steps to fix the configuration or troubleshoot your Carbon Black EDR connection.