Cb Response App for Splunk 2.0.0 Released

Posted on September 27, 2016

The Cb Response App for Splunk allows administrators to leverage the industry’s leading EDR solution to see, detect and take action upon endpoint activity from directly within Splunk. Once installed, the App will allow administrators to access many of the powerful features of Carbon Black, such as process and binary searches from within and in conjunction with Splunk.

When used along side Splunk’s Enterprise Security, the Cb Response App for Splunk also provides Adaptive Response Actions to take action automatically based on the result of Correlation Searches and on an ad-hoc basis on Notable Events surfaced within Splunk ES.

Cb Response App for Splunk

Version 2.0.0 Features


These pre-built dashboards provide you a quick check on the health of your Cb server, status of your Cb Response deployment, and an overview of the detected threats on your network. Eight example dashboards are distributed with this app; not all of these may be populated with data depending on what events are being forwarded to Splunk via the Cb Event Forwarder


Provides a quick overview including the number of sensors reporting alerts and the top feed and watchlist hits across the enterprise.

Search the Cb Response binary holdings via the binarysearch custom command.

Search the processes tracked by Cb Response via the processsearch custom command.

Process Timeline

Produce a simple timeline of events given a Cb Response process GUID.

Search endpoints tracked by Cb Response via the sensorsearch custom command.

Cb Response Endpoint Status:

Display information about the total number of reported sensors, OS and Cb Response agent version distribution across all endpoints.

Cb Response Network Overview

Show visualizations related to incoming and outgoing network connections recorded by Cb Response. Note that this view is only populated if netconn events are forwarded via the Cb Event Forwarder.

Cb Response Binary Status

Display information about attempts to execute banned processes, and information on new executables and shared libraries discovered by Cb Response.

Custom Commands

These commands can be used in your Splunk pipeline to use the power of Splunk’s visualization and searching capability against Cb Response data, without ingesting all of the raw endpoint data into Splunk itself.

  • sensorsearch: Search for sensors in your Cb Response server by IP address or hostname

  • processsearch: Search for processes in your Cb Response server

  • binarysearch: Search for binaries in your Cb Response server

Adaptive Response Alert Actions

Splunk’s new Adaptive Response capability now allows you to take action straight from the Splunk console. The Cb Response Splunk app currently includes three Adaptive Response Alert Actions that allow you to take action either as a result of automated Correlation Searches or on an ad-hoc basis through the Splunk Enterprise Security Incident Review page.

Kill Process

Kill a given process that is actively running on an endpoint running the Cb Response sensor. The process must be identified by a Cb Response event ID. Killing processes allow the security analyst to quickly respond to attackers who may be using tools that cannot otherwise be banned by hash (for example, reusing a legitimate administrative tool for malicious purposes).

Ban MD5 Hash

Ban a given MD5 hash from executing on any host running the Cb Response sensor. The MD5 hash can be specified by a custom hash field. This allows incident responders to quickly respond to evolving threats by keeping attackers’ tools from executing while the threat can be properly remediated and the attacker expelled from the network.

Isolate Sensor

isolate a given endpoint from the network. The endpoint to isolate can be specified by either a custom IP address field (shown below) or a sensor ID that’s provided in Carbon Black Response events plumbed through to Splunk. Network isolation is useful when malware is active on an endpoint, and you need to perform further investigative tasks (for example, retrieving files or killing processes through Carbon Black Live Response) remotely from your management console, but at the same time prevent any connections to active C2 or exfiltration of sensitive data.

Saved Searches

Included in this release are 58 saved searches to jump-start Threat Hunting from within the Splunk environment, thanks to community contributions from Mike Haag and others.

Workflow Actions

This app includes workflow actions to provide additional context from Cb Response on events originated from any product that pushes data into your Splunk server. These context menu items include:

Deep links into the Cb Response server for any event originated from a Cb Response sensor. Allows you to access the powerful process tree and other data available from Cb Response from a single link inside Splunk.

Process search by IP, MD5

Search the Cb Response server for processes associated with a given IP address or MD5 hash from any event in Splunk.

Sensor info by IP

Search the Cb Response server for detailed endpoint information associated with a given IP address from any event in Splunk.

Cb Response App for Splunk

Published by the Carbon Black Developer Network

Source code available on github: https://github.com/carbonblack/cb-response-splunk-app

Many thanks to Mike Haag and Kyle Champlin