BluVector

BluVector Advanced Threat Detection™ (ATD) is the next-generation Intrusion Detection System that is transforming how security teams manage security events. BluVector ATD™ accurately and efficiently detects, triages, and responds to threats, including ransomware, fileless malware, and zero-day malware, in real time. BluVector ATD uses artificial intelligence to detect destructive attacks early in the cyber threat kill chain. More information can be found on BluVector website.

Integration Method: Syslog, HTTP Collector via BluVector’s DataBee Event Forwarding.

Tables: Detection Finding (2004)

This integration supports the following versions.

Configuration Overview

Data ingestion with this data source is via the HTTP collector. To leverage this, the setup will involve several steps as below:

DataBee

• Creating a BluVector data feed and getting the API Key

• Getting the datasource_id from the DataBee Console.

• Getting the Endpoint URL to where BluVector will send the data to.

• Getting the tenantid from the DataBee Console.

BluVector

• Setting up the Databee Event Forwarding.

DataBee Configuration

1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
    

2. Search for the BluVector and click it as shown below.
    

3. Click on the HTTP Collector option for collection method.
    

4. Enter feed contact information and click Next.
    

5. Leave all the defaults values on the next dialog box and click Next.

   
   

6. Click the Generate New API Key. Save the API Key somewhere safe as it will be required in later steps. Once saved click Submit.

   
   

7. You will be taken back to Your current data feeds page. Click on the newly onboarded BluVector data feed tile.
    

8. Note down the ID. This is the datasource_id which will be required later to configure in BluVector.
    

9. From the DataBee console, navigate to the System.

    

10. Navigate to HTTP Collector section and copy the Endpoint URL. We will also require the hostname from the URL. For example, if your Endpoint URL is https://test-tenant.domain.com/http/ingest?v=1 then your hostname will be test-tenant.domain.com. Save these details somewhere as it will be required later.
     

11. Navigate to My Profile under your name icon in the DataBee console.
     

12. Copy the Tenant ID which will be required later.
     

BluVector Configuration

This integration leverages the DataBee HTTP collector. BluVector detection events and Suricata events are sent via HTTPs. The logs can also be sent via syslog. To leverage this transport mechanism, BluVector DataBee Event Forwarding must be set up.

1. Logon to your BluVector ATD Console page. Click the Settings icon and navigate to Outputs.
    

2. Click on Databee Event Forwarding.

   

3. Enable the Send Events and Enter the following required information.

   • Output Name: Give an appropriate name for the output.

   • Endpoint URL: paste the Endpoint URL you have copied under HTTP Collector section.

   • API Key: paste the API Key which you have generated and copied while creating the BluVector data feed.

   • Tenant ID: paste the Tenant ID you have copied from My Profile page.

   • Source ID: paste the data source_id you have copied from the configured BluVector feed tile.

   • Enable fqdn: enable the fqdn to be added to the events button.
     
     

4. Once you have entered all the required information, click on Stage Changes button.
    

5. After staging the changes, it will not become effective, and it will be in locked state. Click on staged changes as shown below.
    

6. You can review the changes and click Apply Changes.
    

7. Click Confirm in the popup message as shown below.
    

Troubleshooting Tips

• Ensure the API Key, Endpoint URL, data source Id and Tenant ID are pasted correctly. Since you cannot view the API Key after the 1^st time, re-create the API Key, paste it on a text editor to ensure no spaces or unexpected characters are included and reconfigure the DataBee feed.