Carbon Black Cloud Splunk App

Overview

The VMware Carbon Black Cloud App for Splunk is a single application to integrate your endpoint and workload security features and telemetry directly into Splunk dashboards, workflows and alert streams.

This application connects with any Carbon Black Cloud offering and replaces the existing product-specific Carbon Black Cloud apps for Splunk. This app provides a unified solution to integrate Carbon Black Cloud Endpoint and Workload offerings with Splunk Enterprise, Splunk Cloud, and Splunk Enterprise Security (ES). Out-of-the-box, this app provides holistic visibility into the state of your endpoints and workloads through customizable dashboards and alert feeds in Splunk.

Before You Get Started

Think about what data you want to pull from Carbon Black Cloud into Splunk to determine which inputs to use. The available inputs are:

Alerts: available via API (regular polling) or Data Forwarder (streaming from AWS S3+SQS)
- Note: In v2.0.0 of the app, these inputs were upgraded to the v7 API and Forwarder Schema v2. See these blogs for more information about the benefits of the Alert v7 API and Data Forwarder Alert Schema v2.
- See the Release Notes for the benefits in the Splunk App
Audit Logs: available via API input
Auth Events: available via API input
Endpoint Events: available via Data Forwarder (streaming from AWS S3)
Live Query Results: available via API input
Vulnerabilities: available via API input
Watchlist Hits: available via Data Forwarder (streaming from AWS S3)

Requirements

Splunk Enterprise 8.1, 8.2, 9.0 or Splunk Cloud
Splunk CIM Add-on
Some inputs require specific Carbon Black Cloud features

Note: To see what's currently enabled in your environment, log in to the Carbon Black Cloud console. Click on your name in the upper-right. An 'Enabled' tag will appear next to any product feature that is available.

Use Cases

This app realizes many key SOC use cases, from conventional SIEM to XDR:

Use Splunk as a single pane of glass for your Carbon Black Cloud alerts
- Triage and investigate from Splunk, or pivot back to the Carbon Black Cloud console
Automate workflows with built-in SOAR capabilities
- Enrich alerts with event or process context
- Kick off Live Response and Live Query actions to gather information directly from endpoints
- Remediate critical issues by killing a process or banning hashes from future execution
Bring full EDR visibility to Splunk
- Endpoint Events enable your SOC to perform threat hunting, conduct forensic investigations, and build custom analytics

Support and Resources

App Installation and Configuration
FAQ & Troubleshooting
Release Notes
Support - Please use the instructions below to generate Diagnostics and include them in your support case.
User Guide
Useful Splunk Queries
View all API and integration offerings on the Developer Network along with reference documentation, video tutorials, and how-to guides.
Access questions and answers specific to the VMware Carbon Black Cloud app at https://answers.splunk.com. Be sure to tag your question with VMware Carbon Black Cloud Splunk App.
Useful Queries on Tech Zone
Use the Developer Community Forum to discuss issues and get answers from other API developers in the Carbon Black Community.

Diagnostics Generation

Please include a support diagnostic file when creating a support ticket. Use the following command to generate the file based on which Splunk app or add-on is installed. Send the resulting file to support.

$SPLUNK_HOME/bin/splunk diag --collect=app:vmware_app_for_splunk
$SPLUNK_HOME/bin/splunk diag --collect=app:IA-vmware_app_for_splunk
$SPLUNK_HOME/bin/splunk diag --collect=app:TA-vmware_app_for_splunk

Give Feedback

New survey coming soon!

Last modified on January 26, 2024

Carbon Black Cloud

Page Contents