Carbon Black Cloud Splunk App


The VMware Carbon Black Cloud App for Splunk is a single application to integrate your endpoint and workload security features and telemetry directly into Splunk dashboards, workflows and alert streams.

This application connects with any Carbon Black Cloud offering and replaces the existing product-specific Carbon Black Cloud apps for Splunk. This app provides a unified solution to integrate Carbon Black Cloud Endpoint and Workload offerings with Splunk Enterprise, Splunk Cloud, and Splunk Enterprise Security (ES). Out-of-the-box, this app provides holistic visibility into the state of your endpoints and workloads through customizable dashboards and alert feeds in Splunk.

Before You Get Started

Think about what data you want to pull from Carbon Black Cloud into Splunk to determine which inputs to use. The available inputs are:

  • Alerts: available via API (regular polling) or Data Forwarder (streaming from AWS S3+SQS)
  • Audit Logs: available via API input
  • Auth Events: available via API input
  • Endpoint Events: available via Data Forwarder (streaming from AWS S3)
  • Live Query Results: available via API input
  • Vulnerabilities: available via API input
  • Watchlist Hits: available via Data Forwarder (streaming from AWS S3)


  • Splunk Enterprise 8.1, 8.2, 9.0 or Splunk Cloud
  • Splunk CIM Add-on
  • Some inputs require specific Carbon Black Cloud features
Note: To see what's currently enabled in your environment, log in to the Carbon Black Cloud console. Click on your name in the upper-right. An 'Enabled' tag will appear next to any product feature that is available.

Use Cases

This app realizes many key SOC use cases, from conventional SIEM to XDR:

  • Use Splunk as a single pane of glass for your Carbon Black Cloud alerts
    • Triage and investigate from Splunk, or pivot back to the Carbon Black Cloud console
  • Automate workflows with built-in SOAR capabilities
    • Enrich alerts with event or process context
    • Kick off Live Response and Live Query actions to gather information directly from endpoints
    • Remediate critical issues by killing a process or banning hashes from future execution
  • Bring full EDR visibility to Splunk
    • Endpoint Events enable your SOC to perform threat hunting, conduct forensic investigations, and build custom analytics

Support and Resources

Diagnostics Generation

Please include a support diagnostic file when creating a support ticket. Use the following command to generate the file based on which Splunk app or add-on is installed. Send the resulting file to support.

$SPLUNK_HOME/bin/splunk diag --collect=app:vmware_app_for_splunk
$SPLUNK_HOME/bin/splunk diag --collect=app:IA-vmware_app_for_splunk
$SPLUNK_HOME/bin/splunk diag --collect=app:TA-vmware_app_for_splunk

Give Feedback

New survey coming soon!

Last modified on January 26, 2024