Before you begin
Below, we provide several tips to help orient you within the app and ensure your success as you start using Blumira as an MSP.
These resources can help you learn to navigate the app and get the most out of your NFR:
Know what to expect the first time you log in to the app
- After we create your NFR account, you will receive an account verification email. Follow the steps outlined in the email to get logged in to app.blumira.com.
- With one login you will have access to:
- Your NFR account, including your MSP Portal, dashboards, reporting, and settings for your organization, which includes log integrations and detection rule settings.
- All customer accounts that you add as sub-accounts of your parent account over time. You will use the Accounts table or the Organizations menu at the top of the screen to switch between the accounts that you need to work in.
- If you are an Administrator of a Blumira NFR account, you land in the Accounts page in the MSP Portal upon logging in. This is the page from which you will navigate to and manage all of your customers' accounts.
Important: The NFR is the Blumira account granted to you to use for your MSP organization for your own security purposes as well as for managing the accounts of your customers. Do not add another account for your MSP organization unless you have a specific need to have a separate internal sub-account. Read this article for more details. - MSP Portal > Users includes the users that have been added to the NFR account, and this is the same list as in Settings > Users when you are working in your NFR parent account. Confirm the organization name at the top of the screen if you are unsure which account's users you are viewing.
- The MSP Portal is the place to bulk-manage your sub-accounts and NFR users.
- Important: Whenever you navigate to the lower navigation page, Settings > Users, you are viewing a single account's list of users. Any edits made on this page apply to the individual account only, and this is true for the NFR and for customer accounts.
Know what each role can do in the app
- Review About Blumira roles for MSPs for a complete view of permissions.
- Assign the Administrator role to your NFR users that need to manage other users, integrations, and settings (detection rules, sensors, etc). Administrators have access to all of your customer organizations and the MSP Portal.
- Assign Administrator and Responder roles to users who need to be able to do everything in the app, including responding to findings.
- Assign only the Responder role to any helpdesk resources that need to respond to findings but that should not have access to configure settings or add accounts. You choose which accounts they have access to.
Using Blumira
Follow the steps outlined below to connect your data sources to send logs to Blumira, start receiving findings, and add other users who will be using Blumira with you. Some of these articles are relevant to all customers and not just to MSPs, so they are hosted on the general support site. Some articles are in the partner support site because the information is specific to MSPs.
Task |
Details |
Set up Blumira Cloud Connectors for your NFR (timing varies for each, but most take about 5 mins) |
See the full list of Cloud Connectors in Deploying Blumira. Follow each article's instructions to configure the external app and gather the API credentials to use in the Cloud Connector. |
Deploy Blumira Agent for endpoints (5 min) |
Collect logs from your endpoints with Blumira Agent for the supported platforms noted in the installation guide. NFR accounts can deploy up to 10 agents. Also see Activating Blumira Agent in your NFR account and sub-accounts. |
View your logs in Report Builder or search across your logs in Blumira Investigate |
After setting up an integration, you can view the logs sent to Blumira in either Report Builder or Investigate. Investigate helps search around one piece of evidence directly from a finding, while Report Builder takes you deeper into all the available logs. |
Add NFR users who will need access to Blumira (5 min) |
Use the MSP portal to add users to your NFR and bulk assign them to sub-accounts. Note: Blumira app users are not the same as billable user counts. Since access to Blumira requires MFA, and Responders are assigned for chain of custody auditing, any employees who will be responding to Blumira findings should be added as users with the appropriate role. |
Configure alerts to your PSA ticketing tool (5 - 10 min) |
Configure one or more of the following options:
Important: For security reasons, the notifications for Blumira findings provide only a summary and do not include all related evidence or workflow options. You must click the link in the notification to log in to the app and view full matched evidence, then act on the remediation workflows. |
Set up a Blumira sensor on Ubuntu (20 min) |
Set up an Ubuntu host that will be used for the Blumira sensor that connects to services and collects your logs. Suggested requirements for sensor host:
Steps for installing the Blumira sensor are included. For the best performance, we recommend using a virtual machine. It can go anywhere that makes sense depending on the network. They are frequently added to a server in a data center that has spare VM space. They are also commonly placed in Azure, AWS, etc. It just depends on the network. Tip: Take a snapshot of the VM before running the curl script, and use it as a template for streamlining future sensor rollouts. |
Add a honeypot module to your Blumira sensor (1 min) |
The sensor doubles as a log shipper and a Honeypot. Run our Dogemira script, which creates a honeytoken in your AD Domains for visibility into Kerberoasting and AS-REP roasting behavior. Name the Honeypot something like "DiskStation" to make it enticing. Tip: The Honeypot is an excellent way to demo the SIEM. You can run live detection tests on it and see findings show up in real-time. |
Send firewall logs to the sensor (5 - 10 min) |
For most firewalls, configuring logging entails sending Syslog from your firewall to the Blumira Sensor's IP address over port 514. Check the firewall integrations documentation for guidance on your specific brand of firewall. Ensure that you follow the documentation. Our parsing relies on receiving the logs in the expected format. Dynamic blocklists and automated blocking are available for some firewall appliances. |
Enable enhanced Windows logging (25 min) |
For best detection results, run the Blumira Advanced Logging Template GPO (Logmira) to enable about 100 settings that Windows does not turn on by default. Tip: Ensure that you restore the template to a new GPO and do not overwrite an existing GPO. Next, run the Dogemira script to create Honeytokens in your AD Domains for visibility into Kerberoasting and AS-REP roasting behavior. |
Connect other relevant modules |
Check out our integration list. We continue to add more over time. Data ingestion is unlimited, so the more security-relevant data, the better. |
Add your customer accounts |
Add your customer tenant accounts directly in the app using the MSP Portal. |
Review pricing information |
Information about pricing tiers, what a billable user is, and other specifics that help you understand the MSP pricing structure and billing process. |
Review additional documentation |