EDR App for Splunk 2.0.0 Released
Posted on September 27, 2016
The EDR App for Splunk allows administrators to leverage the industry’s leading EDR solution to see, detect and take action upon endpoint activity from directly within Splunk. Once installed, the App will allow administrators to access many of the powerful features of Carbon Black, such as process and binary searches from within and in conjunction with Splunk.
When used along side Splunk’s Enterprise Security, the EDR App for Splunk also provides Adaptive Response Actions to take action automatically based on the result of Correlation Searches and on an ad-hoc basis on Notable Events surfaced within Splunk ES.
Available on Splunkbase under CB Response App for Splunk
Version 2.0.0 Features
Dashboards
These pre-built dashboards provide you a quick check on the health of your Cb server, status of your EDR deployment, and an overview of the detected threats on your network. Eight example dashboards are distributed with this app; not all of these may be populated with data depending on what events are being forwarded to Splunk via the Cb Event Forwarder
Overview
Provides a quick overview including the number of sensors reporting alerts and the top feed and watchlist hits across the enterprise.
Binary Search
Search the EDR binary holdings via the binarysearch custom command.
Process Search
Search the processes tracked by EDR via the processsearch custom command.
Process Timeline
Produce a simple timeline of events given a EDR process GUID.
Sensor Search
Search endpoints tracked by EDR via the sensorsearch custom command.
EDR Endpoint Status:
Display information about the total number of reported sensors, OS and EDR agent version distribution across all endpoints.
EDR Network Overview
Show visualizations related to incoming and outgoing network connections recorded by EDR. Note that this view is only populated if netconn events are forwarded via the Cb Event Forwarder.
EDR Binary Status
Display information about attempts to execute banned processes, and information on new executables and shared libraries discovered by EDR.
Custom Commands
These commands can be used in your Splunk pipeline to use the power of Splunk’s visualization and searching capability against EDR data, without ingesting all of the raw endpoint data into Splunk itself.
-
sensorsearch: Search for sensors in your EDR server by IP address or hostname -
processsearch: Search for processes in your EDR server -
binarysearch: Search for binaries in your EDR server
Adaptive Response Alert Actions
Splunk’s new Adaptive Response capability now allows you to take action straight from the Splunk console. The EDR Splunk app currently includes three Adaptive Response Alert Actions that allow you to take action either as a result of automated Correlation Searches or on an ad-hoc basis through the Splunk Enterprise Security Incident Review page.
Kill Process
Kill a given process that is actively running on an endpoint running the EDR sensor. The process must be identified by a EDR event ID. Killing processes allow the security analyst to quickly respond to attackers who may be using tools that cannot otherwise be banned by hash (for example, reusing a legitimate administrative tool for malicious purposes).
Ban MD5 Hash
Ban a given MD5 hash from executing on any host running the EDR sensor. The MD5 hash can be specified by a custom hash field. This allows incident responders to quickly respond to evolving threats by keeping attackers’ tools from executing while the threat can be properly remediated and the attacker expelled from the network.
Isolate Sensor
isolate a given endpoint from the network. The endpoint to isolate can be specified by either a custom IP address field (shown below) or a sensor ID that’s provided in Carbon Black EDR events plumbed through to Splunk. Network isolation is useful when malware is active on an endpoint, and you need to perform further investigative tasks (for example, retrieving files or killing processes through Carbon Black Live Response) remotely from your management console, but at the same time prevent any connections to active C2 or exfiltration of sensitive data.
Saved Searches
Included in this release are 58 saved searches to jump-start Threat Hunting from within the Splunk environment, thanks to community contributions from Mike Haag and others.
Workflow Actions
This app includes workflow actions to provide additional context from EDR on events originated from any product that pushes data into your Splunk server. These context menu items include:
Deep links
Deep links into the EDR server for any event originated from an EDR sensor. Allows you to access the powerful process tree and other data available from EDR from a single link inside Splunk.
Process search by IP, MD5
Search the EDR server for processes associated with a given IP address or MD5 hash from any event in Splunk.
Sensor info by IP
Search the EDR server for detailed endpoint information associated with a given IP address from any event in Splunk.
Available on Splunkbase under CB Response App for Splunk
Published by the Carbon Black Developer Network
Many thanks to Mike Haag and Kyle Champlin