Posted on September 27, 2016
The Cb Response App for Splunk allows administrators to leverage the industry’s leading EDR solution to see, detect and take action upon endpoint activity from directly within Splunk. Once installed, the App will allow administrators to access many of the powerful features of Carbon Black, such as process and binary searches from within and in conjunction with Splunk.
When used along side Splunk’s Enterprise Security, the Cb Response App for Splunk also provides Adaptive Response Actions to take action automatically based on the result of Correlation Searches and on an ad-hoc basis on Notable Events surfaced within Splunk ES.
These pre-built dashboards provide you a quick check on the health of your Cb server, status of your Cb Response deployment, and an overview of the detected threats on your network. Eight example dashboards are distributed with this app; not all of these may be populated with data depending on what events are being forwarded to Splunk via the Cb Event Forwarder
Provides a quick overview including the number of sensors reporting alerts and the top feed and watchlist hits across the enterprise.
Search the Cb Response binary holdings via the binarysearch
custom command.
Search the processes tracked by Cb Response via the processsearch
custom command.
Produce a simple timeline of events given a Cb Response process GUID.
Search endpoints tracked by Cb Response via the sensorsearch
custom command.
Display information about the total number of reported sensors, OS and Cb Response agent version distribution across all endpoints.
Show visualizations related to incoming and outgoing network connections recorded by Cb Response. Note that this view is only populated if netconn events are forwarded via the Cb Event Forwarder.
Display information about attempts to execute banned processes, and information on new executables and shared libraries discovered by Cb Response.
These commands can be used in your Splunk pipeline to use the power of Splunk’s visualization and searching capability against Cb Response data, without ingesting all of the raw endpoint data into Splunk itself.
sensorsearch
: Search for sensors in your Cb Response server by IP address or hostname
processsearch
: Search for processes in your Cb Response server
binarysearch
: Search for binaries in your Cb Response server
Splunk’s new Adaptive Response capability now allows you to take action straight from the Splunk console. The Cb Response Splunk app currently includes three Adaptive Response Alert Actions that allow you to take action either as a result of automated Correlation Searches or on an ad-hoc basis through the Splunk Enterprise Security Incident Review page.
Kill a given process that is actively running on an endpoint running the Cb Response sensor. The process must be identified by a Cb Response event ID. Killing processes allow the security analyst to quickly respond to attackers who may be using tools that cannot otherwise be banned by hash (for example, reusing a legitimate administrative tool for malicious purposes).
Ban a given MD5 hash from executing on any host running the Cb Response sensor. The MD5 hash can be specified by a custom hash field. This allows incident responders to quickly respond to evolving threats by keeping attackers’ tools from executing while the threat can be properly remediated and the attacker expelled from the network.
isolate a given endpoint from the network. The endpoint to isolate can be specified by either a custom IP address field (shown below) or a sensor ID that’s provided in Carbon Black Response events plumbed through to Splunk. Network isolation is useful when malware is active on an endpoint, and you need to perform further investigative tasks (for example, retrieving files or killing processes through Carbon Black Live Response) remotely from your management console, but at the same time prevent any connections to active C2 or exfiltration of sensitive data.
Included in this release are 58 saved searches to jump-start Threat Hunting from within the Splunk environment, thanks to community contributions from Mike Haag and others.
This app includes workflow actions to provide additional context from Cb Response on events originated from any product that pushes data into your Splunk server. These context menu items include:
Deep links into the Cb Response server for any event originated from a Cb Response sensor. Allows you to access the powerful process tree and other data available from Cb Response from a single link inside Splunk.
Search the Cb Response server for processes associated with a given IP address or MD5 hash from any event in Splunk.
Search the Cb Response server for detailed endpoint information associated with a given IP address from any event in Splunk.
Published by the Carbon Black Developer Network
Source code available on github: https://github.com/carbonblack/cb-response-splunk-app
Many thanks to Mike Haag and Kyle Champlin