The VMware Carbon Black Cloud App for Splunk is a single application to integrate your endpoint and workload security features and telemetry directly into Splunk dashboards, workflows and alert streams.

This application connects with any Carbon Black Cloud offering and replaces the existing product-specific Carbon Black apps for Splunk. This app provides a unified solution to integrate Carbon Black Cloud Endpoint and Workload offerings with Splunk Enterprise, Splunk Cloud, and Splunk Enterprise Security (ES). Out-of-the-box, this app provides holistic visibility into the state of your endpoints and workloads through customizable dashboards and alert feeds in Splunk.

Requirements

• Splunk Enterprise 8.0, 8.1 or Splunk Cloud
• If you are running Splunk 7, see 10. What version of Splunk is supported for Carbon Black Cloud in our FAQ section

Installation

• You can install the latest version from here.

Helpful Links

• Setup Video

FAQ

1. What features are included with the new Splunk app?

   • For the full list of features available in the current version of the app, view the details on SplunkBase.
   • Highlights of the features in this app:
     • Data Input
       • Support for high volume, low latency Alerts & Endpoint Events via the Event Forwarder
       • Support for Alerts, Audit Logs, Live Query Results, and Vulnerability Assessment data via a built-in input
     • Supported on Splunk 8.0, 8.1, Splunk Cloud, and Splunk ES 6.x
       • Proxy and Multi-tenancy
     • Enables alert actions & adaptive response to automate context gathering and remediation
       • For example, if Carbon Black Cloud detects LSASS memory scraping, automatically get the logged in users and move the device to a more restrictive policy

2. Is there is a way to bring in the Carbon Black Cloud audit logs to Splunk?

   • Yes.

3. Do we have a document outlining how to install & configure the new version of Splunk for Carbon Black Cloud?

   • The app documentation on Splunkbase (or in the “About” tab of the App post-install) contains a Deployment Guide and Getting Started section.
     
     
   • A video demoing the configuration is available here

4. Is it a requirement to use the event forwarder?

   • The Forwarder is the recommended approach for ingesting Alerts and Endpoint Events into Splunk, due to its reliability, scale, and low latency. This approach is required to ingest Endpoint Event data.
     
     The alternative is to use the built-in inputs packaged with the VMware Carbon Black Cloud App or Input Addon, which leverages the Carbon Black Cloud REST APIs. This approach supports ingesting the enriched events associated with CB Analytics Alerts through an Alert Action.

5. Can this Splunk App ingest only the Alerts and not the event data or the audit information?.

   • That is supported. The app does not require all of the data however parts of the dashboards may not be available if it relies on data types that are not ingested.

6. What is the URL that we should be using for API configuration?

   • When configuring the CBC Environment URL for API Token Configuration, use the dashboard URL without the https:// Full detail on the URLs for each environment are available here.

7. We are using an earlier Splunk TA which was last updated in 2015. Do you know if and when a new Splunk TA will be updated?

   • A new VMware Carbon Black Cloud app available on SplunkBase supports distributed environments and includes Input and Technology add-ons.
     It is recommended that customers who are on Splunk 8.0+ move to the new app to take advantage of improved data ingest options and a larger range of adaptive response features. Customers on Splunk 7.0 should remain on the existing apps until they upgrade Splunk.

8. Is there a limit to the number of alerts that are pulled on each sync?

   • Yes, 10,000
     If your organization has more than 10,000 alerts each polling interval, you can:
     • Tune alerts to reduce overall alert volume
       • CB Analytics alerts that are known-good in your environment can be tuned from the Carbon Black Cloud console “Dismiss all future alerts” functionality
       • Follow recommendations from here
   • Modify the configured Alert Input
     • Increase the minimum severity
     • Use the Query to filter out alerts you aren’t finding value in
     • Change the polling interval from the default of 300 seconds to 120 or 60 seconds.
   • Switch to ingesting Alerts via the Forwarder

9. Is there a limit to the number of Audit Logs that are pulled on each sync?

   • Yes, 2500.

10. What version of Splunk is supported for Carbon Black Cloud?

    • The new VMware Carbon Black Cloud App works with Endpoint Standard and Enterprise EDR, on Splunk version 8.0 or higher. If you are using Splunk version 7.x, you will need to upgrade the version of Splunk to use the new Carbon Black Cloud app.
      
      Splunk 7 customers can:
      • Continue to leverage legacy Splunk apps:

        • Endpoint Standard (fka CB Defense)

          • Endpoint Standard VMware Carbon Black Cloud App (3905)
          • Add-On- Endpoint Standard VMware Carbon Black Cloud (3545)

        • Enterprise EDR (fka CB ThreatHunter)

          • Enterprise EDR VMware Carbon Black Cloud App (4330)
      • Configure the Carbon Black Cloud Event Forwarder and Splunk Add-on for AWS
        • Configuration demo video

11. Do we have any Splunk documentation to reference for customers that wish to ingest the Carbon Black Cloud Event Forwarder data into Splunk?

    • An end-to-end configuration video is available on the Carbon Black User Exchange
    • A step-by-step guide on configuring ingest from an AWS S3 bucket to Splunk
    • Information on configuring and the forwarder for Events and Alerts is available here.

12. Does the app use the Splunk CIM?

    • Yes, it uses the Event and Alert models from the Splunk CIM.

13. Is the app certified by Splunk?

    • The app has been verified by AppInspect and is under assessment for Splunk Cloud.

14. What is the different between the “Message Time” and “Timestamp” field in Splunk?

    • Carbon Black Cloud alerts and events contain a variety of timestamps to provide insight into various stages of the data. For example, and alert will contain the timestamp of when the first event was detected as well as the most recent alert update.
      
      The App/TA will extract the most relevant timestamp field into the standard Splunk _time field.
      
      Descriptions of each timestamp can be found on the Developer Network documentation:
      • Alerts & Events via the Forwarder
      • Alerts via the built-in Input (Alerts API)

15. I’m not seeing the data I expect to be ingested.

    • Check the Administration –> Application Health Overview tab in the application.

16. I get 403 Forbidden errors, or something else that suggests I don’t have the right access for the API being called.

    • Check that the configuration of API Access Levels is correct in Carbon Black Cloud, and that the correct key is assigned for the Splunk data input or alert action. The correct configuration is in the Installation Guide.

17. How can I get support for problems I’m having with the App?

    • The Carbon Black Cloud Splunk App is supported by Carbon Black; if you have a problem, open a support ticket like you would any other Carbon Black Cloud issue.
      
      If you’ve got a question about the app or a use case/workflow/dashboard you’d like to share, let us know on the Carbon Black User Exchange Developer Relations board.