Carbon Black EDR (Endpoint Detection and Response) is the new name for the product formerly called CB Response.
Quick Links:
In this tutorial we will learn how to configure the EDR event forwarder, the Splunk Universal Forwarder, and Splunk in order to view EDR events within the Splunk interface.
What events would you like to forward from Carbon Black EDR to Splunk? By default, the Event Forwarder will send watchlist & feed hits to Splunk. Additionally, you can choose to forward any of the event types collected by EDR to your Splunk server, including process spawn events, network connections, file modifications, registry modifications, and more.
Of course, adding event types will greatly increase the event rate into Splunk. As a rough order of magnitude, the typical Windows endpoint will generate anywhere between 2-10 events per second, where each event can average between 200-500 bytes in length. If you are considering enabling several endpoint event types, it’s highly recommended to install the event forwarder on a machine separate from your Carbon Black server and also save the output for a few days to disk in order to estimate the flow size before enabling forwarding into Splunk.
On the EDR server, install the following items:
On the Splunk server, install: