Back to Blogs

Announcing Carbon Black Cloud App for Splunk 2.0.0

Posted on January 26, 2024

---

We’re pleased to announce version 2.0.0 of the Carbon Black Cloud App for Splunk. This is a feature release that makes use of the Alerts v7 API and Alert Forwarder Schema v2. All API configuration now uses a custom API key which improves security posture and simplifies configuration.

There are some breaking changes, so check out the Upgrade Guide before you install the new version of the app.

New Features

• Upgraded to use the Alerts v7 API & Data Forwarder Schema v2
  • Customers using the built-in alert input will have access to significantly improved metadata and alert types. A complete list of new, renamed, and removed fields is available in the Migration Guide.
  • See these blogs for more information about the benefits of the Alert v7 API and Data Forwarder Alert Schema v2.
  • Some customers may see a decrease in alert volume, as Observed alerts have migrated to Observations.
    • In the CBC Splunk app 1.x, these alerts were denoted by category = MONITORED
  • All Alert types are ingested: CB Analytics, Container Runtime, Watchlist, Device Control, Host Based Firewall, Intrusion Detection System
• New action to enrich Carbon Black Cloud Alerts with Observations

Breaking Changes

Version 2.0 contains breaking changes. See What to do before upgrading to v2.0.0 before starting your upgrade.

Breaking Changes:

• Alerts ingest has been changed to Alert API v7 and Data Forwarder Alert Schema v2. Some fields in the earlier versions have been renamed or removed from the new versions.
• Live Response alert actions require an API key with an Access Level of type CUSTOM.
• Audit Log ingest should be updated during this update to use an API key with an Access Level of type CUSTOM. It must be updated before October 31, 2024 when the Access Level type API will be deactivated.
• The Alert Action Enrich CB Analytics Event has been deprecated and will be deactivated July 31, 2024 . The action VMwareCBC Enrich Alert Observations has been added and can enrich more Alert types.

Improvements

• Live Response alert actions now use a Custom API key. This enables improved security posture by granting API keys only the permissions required.
• Audit Log ingest now uses a Custom API key. This enables improved security posture by granting API keys only the permissions required.

Note: See Authentication & Authorization in the Installation and Configuration Guide for more information.

Upgrade instructions

The release notes include upgrade instructions by stage.

1. What to do before upgrading to v2.0.0

   • Decisions on which features to enable
   • Actions to be taken prior to updating the Splunk App. These are mostly setting up API keys with new permissions in Carbon Black Cloud.

2. Installing v2.0.0

   • How to install the app from SplunkBase

3. What to do after installing v2.0.0

   • Configure API keys for Actions and Ingest
   • Configure Alert types to ingest

4. What to do after data begins to be ingested

   • Verify data is being ingested and actions work
   • Troubleshoot if necessary

Resources:

• Splunk v2.0.0 Video Walkthrough
• Release Notes
• App Installation and Configuration
• User Guide
• FAQ & Troubleshooting
• Useful Splunk Queries
• Useful Queries on Tech Zone
• User Guides for Previous App Versions

Have questions or feedback?

• Use the Developer Community Forum to discuss issues and get answers from other API developers in the Carbon Black Community
• Report bugs and change requests to Carbon Black Support
• New survey coming soon!
• Subscribe to the Developer Network Newsletter