EDR App for Splunk 2.0.0 Released

Posted on September 27, 2016


The EDR App for Splunk allows administrators to leverage the industry’s leading EDR solution to see, detect and take action upon endpoint activity from directly within Splunk. Once installed, the App will allow administrators to access many of the powerful features of Carbon Black, such as process and binary searches from within and in conjunction with Splunk.

When used along side Splunk’s Enterprise Security, the EDR App for Splunk also provides Adaptive Response Actions to take action automatically based on the result of Correlation Searches and on an ad-hoc basis on Notable Events surfaced within Splunk ES.

Available on Splunkbase under CB Response App for Splunk

Version 2.0.0 Features

Dashboards

These pre-built dashboards provide you a quick check on the health of your Cb server, status of your EDR deployment, and an overview of the detected threats on your network. Eight example dashboards are distributed with this app; not all of these may be populated with data depending on what events are being forwarded to Splunk via the Cb Event Forwarder

Overview

Provides a quick overview including the number of sensors reporting alerts and the top feed and watchlist hits across the enterprise.

Search the EDR binary holdings via the binarysearch custom command.

Search the processes tracked by EDR via the processsearch custom command.

Process Timeline

Produce a simple timeline of events given a EDR process GUID.

Search endpoints tracked by EDR via the sensorsearch custom command.

EDR Endpoint Status:

Display information about the total number of reported sensors, OS and EDR agent version distribution across all endpoints.

EDR Network Overview

Show visualizations related to incoming and outgoing network connections recorded by EDR. Note that this view is only populated if netconn events are forwarded via the Cb Event Forwarder.

EDR Binary Status

Display information about attempts to execute banned processes, and information on new executables and shared libraries discovered by EDR.

Custom Commands

These commands can be used in your Splunk pipeline to use the power of Splunk’s visualization and searching capability against EDR data, without ingesting all of the raw endpoint data into Splunk itself.

  • sensorsearch: Search for sensors in your EDR server by IP address or hostname

  • processsearch: Search for processes in your EDR server

  • binarysearch: Search for binaries in your EDR server

Adaptive Response Alert Actions

Splunk’s new Adaptive Response capability now allows you to take action straight from the Splunk console. The EDR Splunk app currently includes three Adaptive Response Alert Actions that allow you to take action either as a result of automated Correlation Searches or on an ad-hoc basis through the Splunk Enterprise Security Incident Review page.

Kill Process

Kill a given process that is actively running on an endpoint running the EDR sensor. The process must be identified by a EDR event ID. Killing processes allow the security analyst to quickly respond to attackers who may be using tools that cannot otherwise be banned by hash (for example, reusing a legitimate administrative tool for malicious purposes).

Ban MD5 Hash

Ban a given MD5 hash from executing on any host running the EDR sensor. The MD5 hash can be specified by a custom hash field. This allows incident responders to quickly respond to evolving threats by keeping attackers’ tools from executing while the threat can be properly remediated and the attacker expelled from the network.

Isolate Sensor

isolate a given endpoint from the network. The endpoint to isolate can be specified by either a custom IP address field (shown below) or a sensor ID that’s provided in Carbon Black EDR events plumbed through to Splunk. Network isolation is useful when malware is active on an endpoint, and you need to perform further investigative tasks (for example, retrieving files or killing processes through Carbon Black Live Response) remotely from your management console, but at the same time prevent any connections to active C2 or exfiltration of sensitive data.

Saved Searches

Included in this release are 58 saved searches to jump-start Threat Hunting from within the Splunk environment, thanks to community contributions from Mike Haag and others.

Workflow Actions

This app includes workflow actions to provide additional context from EDR on events originated from any product that pushes data into your Splunk server. These context menu items include:

Deep links into the EDR server for any event originated from an EDR sensor. Allows you to access the powerful process tree and other data available from EDR from a single link inside Splunk.

Process search by IP, MD5

Search the EDR server for processes associated with a given IP address or MD5 hash from any event in Splunk.

Sensor info by IP

Search the EDR server for detailed endpoint information associated with a given IP address from any event in Splunk.

Available on Splunkbase under CB Response App for Splunk

Published by the Carbon Black Developer Network

Source code available on github: https://github.com/carbonblack/cb-response-splunk-app

Many thanks to Mike Haag and Kyle Champlin