Carbon Black Cloud Splunk App
Overview
The VMware Carbon Black Cloud App for Splunk is a single application to integrate your endpoint and workload security features and telemetry directly into Splunk dashboards, workflows and alert streams.
This application connects with any Carbon Black Cloud offering and replaces the existing product-specific Carbon Black Cloud apps for Splunk. This app provides a unified solution to integrate Carbon Black Cloud Endpoint and Workload offerings with Splunk Enterprise, Splunk Cloud, and Splunk Enterprise Security (ES). Out-of-the-box, this app provides holistic visibility into the state of your endpoints and workloads through customizable dashboards and alert feeds in Splunk.
Before You Get Started
Think about what data you want to pull from Carbon Black Cloud into Splunk to determine which inputs to use. The available inputs are:
- Alerts: available via API (regular polling) or Data Forwarder (streaming from AWS S3+SQS)
- Note: In v2.0.0 of the app, these inputs were upgraded to the v7 API and Forwarder Schema v2. See these blogs for more information about the benefits of the Alert v7 API and Data Forwarder Alert Schema v2.
- See the Release Notes for the benefits in the Splunk App
- Audit Logs: available via API input
- Auth Events: available via API input
- Endpoint Events: available via Data Forwarder (streaming from AWS S3)
- Live Query Results: available via API input
- Vulnerabilities: available via API input
- Watchlist Hits: available via Data Forwarder (streaming from AWS S3)
Requirements
- Splunk Enterprise 8.1, 8.2, 9.0 or Splunk Cloud
- Splunk CIM Add-on
- Some inputs require specific Carbon Black Cloud features
Use Cases
This app realizes many key SOC use cases, from conventional SIEM to XDR:
- Use Splunk as a single pane of glass for your Carbon Black Cloud alerts
- Triage and investigate from Splunk, or pivot back to the Carbon Black Cloud console
- Automate workflows with built-in SOAR capabilities
- Enrich alerts with event or process context
- Kick off Live Response and Live Query actions to gather information directly from endpoints
- Remediate critical issues by killing a process or banning hashes from future execution
- Bring full EDR visibility to Splunk
- Endpoint Events enable your SOC to perform threat hunting, conduct forensic investigations, and build custom analytics
Support and Resources
-
Support - Please use the instructions below to generate Diagnostics and include them in your support case.
-
View all API and integration offerings on the Developer Network along with reference documentation, video tutorials, and how-to guides.
-
Access questions and answers specific to the VMware Carbon Black Cloud app at https://answers.splunk.com. Be sure to tag your question with VMware Carbon Black Cloud Splunk App.
-
Useful Queries on Tech Zone
-
Use the Developer Community Forum to discuss issues and get answers from other API developers in the Carbon Black Community.
Diagnostics Generation
Please include a support diagnostic file when creating a support ticket. Use the following command to generate the file based on which Splunk app or add-on is installed. Send the resulting file to support.
$SPLUNK_HOME/bin/splunk diag --collect=app:vmware_app_for_splunk
$SPLUNK_HOME/bin/splunk diag --collect=app:IA-vmware_app_for_splunk
$SPLUNK_HOME/bin/splunk diag --collect=app:TA-vmware_app_for_splunk
Give Feedback
New survey coming soon!
Last modified on January 26, 2024