Endpoint Standard App for Splunk 1.0.0 Released

Posted on March 14, 2018


The Carbon Black Developer Network is proud to announce the first public release of our new Splunk App for Endpoint Standard. This app is available for download now from Splunkbase under CB Defense Add-On for Splunk.

This first release includes pre-built visualizations from Cb, that provide an overview of Endpoint Standard environments as well as dashboards to search through threat and policy notifications, view and manipulate device status, etc.

  • Endpoint Standard Overview Dashboard
    • Comprehensive Overview of your Endpoint Standard data in Splunk
    • view total detections, policy actions, rare applications
    • triage threats by severity
  • Threat Search
    • geoip map of threats based on severity
    • additional table of threat information
    • searchable (SPL) to isolate threat events of interest
  • Policy Action Search
    • geoip map of Policy Actions by reputation
    • tabular display of policy activities
    • searchable (SPL) to isolate policy events of interest
  • Login Map (Splunk)
    • geoip map and table of Logins (attempted and successful) to Splunk instances
  • Device Search
    • powered by the devicesearch custom search command
    • uses the Endpoint Standard REST API to retrieve device status information
    • geoip map of devices by external IPs + table of the same
    • enter a device query to filter results like ‘hostname:WIN-1984VBRULES’ or ‘ipAddress:172.17.178.1’

All of which are customizable and extensible by the user.

Initial Adaptive Response Actions:

  1. Change Endpoint Standard Device Policy
    • Splunk operators can change Endpoint Standard Device’s Security Policy using Adaptive Response Actions, if configured.
    • Devices matching a certain identified field (IP, Hostname, devcieId) will be moved to the configured policy
    • Supports both ad-hoc and normal invocation as alerts, ESS incident review, correlated searches, etc

Requirements

  1. Endpoint Standard
  2. Splunk 6.6+
  3. Endpoint Standard, CB Defense Add-On for Splunk
  4. (Recommended) Enterprise Security App for Splunk

No additional hardware requirements are necessary for running this app above the standard requirements for both Carbon Black and Splunk.

Prerequisites

  1. You have configured a security policy in Endpoint Standard and configured SIEM, API type api keys and connector Id’s for use with Splunk.
  2. Endpoint Standard, CB Defense Add-on For Splunkis installed and configured
    • CB Developer Network
    • You have configured the Endpoint Standard Add-On for Splunk with appropriate SIEM type connector credentials

Getting Started

  1. Install the Endpoint Standard App for Splunk from Splunkbase

  2. Configure the Endpoint Standard App for Splunk

    1. Select ‘manage apps’ using the gear settings icon on the left hand navigation pane in Splunk UI
    2. Select the Endpoint Standard App for Splunk and select ‘setup app’
    3. Enter your API key and connector ID of type API
    4. Click “Perform Setup” on the Endpoint Standard App Setup Page
  3. (OPTIONAL) - Configure the cbdefense macro to point to your indexes - by default the app will search all available indices.

Feedback

Contact dev-relations@carbonblack.com.

  • or better yet open an issue or make a pull request on GitHub!