Announcing Carbon Black Cloud App for Splunk 2.0.0
Posted on January 26, 2024
We’re pleased to announce version 2.0.0 of the Carbon Black Cloud App for Splunk. This is a feature release that makes use of the Alerts v7 API and Alert Forwarder Schema v2. All API configuration now uses a custom API key which improves security posture and simplifies configuration.
There are some breaking changes, so check out the Upgrade Guide before you install the new version of the app.
New Features
- Upgraded to use the Alerts v7 API & Data Forwarder Schema v2
- Customers using the built-in alert input will have access to significantly improved metadata and alert types. A complete list of new, renamed, and removed fields is available in the Migration Guide.
- See these blogs for more information about the benefits of the Alert v7 API and Data Forwarder Alert Schema v2.
- Some customers may see a decrease in alert volume, as Observed alerts have migrated to Observations.
- In the CBC Splunk app 1.x, these alerts were denoted by category = MONITORED
- All Alert types are ingested: CB Analytics, Container Runtime, Watchlist, Device Control, Host Based Firewall, Intrusion Detection System
- New action to enrich Carbon Black Cloud Alerts with Observations
Breaking Changes
Version 2.0 contains breaking changes. See Before you Upgrade to Splunk SIEM 2.0.0 before starting your upgrade.
Breaking Changes:
- Alerts ingest has been changed to Alert API v7 and Data Forwarder Alert Schema v2. Some fields in the earlier versions have been renamed or removed from the new versions.
- Live Response alert actions require an API key with an Access Level of type
CUSTOM
. - Audit Log ingest should be updated during this update to use an API key with an Access Level of type
CUSTOM
. It must be updated before October 31, 2024 when the Access Level typeAPI
will be deactivated. - The Alert Action
Enrich CB Analytics Event
has been deprecated and will be deactivated September 5, 2024 . The actionVMwareCBC Enrich Alert Observations
has been added and can enrich more Alert types.
Improvements
- Live Response alert actions now use a Custom API key. This enables improved security posture by granting API keys only the permissions required.
- Audit Log ingest now uses a Custom API key. This enables improved security posture by granting API keys only the permissions required.
Note: See Authentication & Authorization in the Installation and Configuration Guide for more information.
Upgrade instructions
The release notes include upgrade instructions by stage.
-
Before you Upgrade to Splunk SIEM 2.0.0
- Decisions on which features to enable
- Actions to be taken prior to updating the Splunk App. These are mostly setting up API keys with new permissions in Carbon Black Cloud.
-
- How to install the app from SplunkBase
-
What to do after installing v2.0.0
- Configure API keys for Actions and Ingest
- Configure Alert types to ingest
-
What to do after data begins to be ingested
- Verify data is being ingested and actions work
- Troubleshoot if necessary
Resources:
- Splunk v2.0.0 Video Walkthrough
- Release Notes
- App Installation and Configuration
- User Guide
- FAQ & Troubleshooting
- Useful Splunk Queries
- Useful Queries on Tech Zone
- User Guides for Previous App Versions
Have questions or feedback?
- Use the Developer Community Forum to discuss issues and get answers from other API developers in the Carbon Black Community
- Report bugs and change requests to Carbon Black Support
- Subscribe to the Developer Network Newsletter