CB Defense App for Splunk 1.0.0 Released

Posted on March 14, 2018

The Carbon Black Developer Network is proud to announce the first public release of our new Splunk App for CB Defense. This app is available for download now from Splunkbase.

This first release includes pre-built visualizations from Cb, that provide an overview of CB Defense environments as well as dashboards to search through threat and policy notifications, view and manipulate device status, etc.

  • CB Defense Overview Dashboard
    • Comprehensive Overview of your CB Defense data in Splunk
    • view total detections, policy actions, rare applications
    • triage threats by severity
  • Threat Search
    • geoip map of threats based on severity
    • additional table of threat information
    • searchable (SPL) to isolate threat events of interest
  • Policy Action Search
    • geoip map of Policy Actions by reputation
    • tabular display of policy activities
    • searchable (SPL) to isolate policy events of interest
  • Login Map (Splunk)
    • geoip map and table of Logins (attempted and successful) to Splunk instances
  • Device Search
    • powered by the devicesearch custom search command
    • uses the CB Defense REST API to retrieve device status information
    • geoip map of devices by external IPs + table of the same
    • enter a device query to filter results like ‘hostname:WIN-1984VBRULES’ or ‘ipAddress:’

All of which are customizable and extensible by the user.

Initial Adaptive Response Actions:

  1. Change CB Defense Device Policy
    • Splunk operators can change CB Defense Device’s Security Policy using Adaptive Response Actions, if configured.
    • Devices matching a certain identified field (IP, Hostname, devcieId) will be moved to the configured policy
    • Supports both ad-hoc and normal invocation as alerts, ESS incident review, correlated searches, etc


  1. CB Defense
  2. Splunk 6.6+
  3. CB Defense Add-On for Splunk
  4. (Recommended) Enterprise Security App for Splunk

No additional hardware requirements are necessary for running this app above the standard requirements for both Carbon Black and Splunk.


  1. You have configured a security policy in CB Defense and configured SIEM, API type api keys and connector Id’s for use with Splunk.
  2. CB Defense Add-on For Splunkis installed and configured
    • CB Developer Network
    • You have configured the CB Defense Add-On for Splunk with appropriate SIEM type connector credentials

Getting Started

  1. Install the CB Defense App for Splunk from Splunkbase
  2. Configure the CB Defense App for Splunk

    1. Select ‘manage apps’ using the gear settings icon on the left hand navigation pane in Splunk UI
    2. Select the CB Defense App for Splunk and select ‘setup app’
    3. Enter your API key and connector ID of type API
    4. Click “Perform Setup” on the CB Defense App Setup Page
  3. (OPTIONAL) - Configure the cbdefense macro to point to your indexes - by default the app will search all available indices.


Contact dev-relations@carbonblack.com. - or better yet open an issue or make a pull request on GitHub!