The VMware Carbon Black Cloud App for Splunk is a single application to integrate your endpoint and workload security features and telemetry directly into Splunk dashboards, workflows and alert streams.
This application connects with any Carbon Black Cloud offering and replaces the existing product-specific Carbon Black Cloud apps for Splunk. This app provides a unified solution to integrate Carbon Black Cloud Endpoint and Workload offerings with Splunk Enterprise, Splunk Cloud, and Splunk Enterprise Security (ES). Out-of-the-box, this app provides holistic visibility into the state of your endpoints and workloads through customizable dashboards and alert feeds in Splunk.
If you are running Splunk 7, our legacy apps Endpoint Standard VMware Carbon Black Cloud App and Enterprise EDR VMware Carbon Black Cloud App are still supported.
This app realizes many key SOC use cases, from conventional SIEM to XDR:
Warning
: Installing the VMware Carbon Black Cloud Technology Add-on (TA) or Input Add-on (IA) on the same node as the App is an unsupported configuration that may result in instability or errors.
Depending on your Splunk configuration and version, the VMware Carbon Black Cloud app, Technology Add-on (TA), and Input Add-on (IA) need to be installed on specific Splunk instances. See the following sections as to where each component is installed.
Splunk 7.x
Single Instance (8.x)
Single Instance + Heavy Forwarder (8.x)
Distributed deployment (8.x)
Splunk Cloud
In a distributed environment the app and add-ons only support a subset of configuration as each Splunk component provides specific functionality.
The Heavy Forwarder
is where Splunk will ingest data from the Carbon Black Cloud, the Indexer
will process the incoming data and apply the CIM compliant models, and the Search Head
provides the graphical search interface that allows you to interact with the data through dashboards, alert actions and custom commands.
Search Head - vmware_app_for_splunk
Heavy Forwarder - IA-vmware_app_for_splunk
Note: If you are using the Data Forwarder to ingest Alerts and Events then you will need to install and configure the Splunk AWS Add-on.
TA-vmware_app_for_splunk
Watch our Setup Video for an in depth walk through of the following sections.
The VMware Carbon Black Cloud App offers two methods to ingest data. Each method supports a subset of the Carbon Black Cloud data which is outlined below.
Built-In Input
Alerts
Audit Logs
Live Query Results
Vulnerabilities
Data Forwarder
Alerts
Recommended for orgs with high volumesEndpoint.Events
For built-in data inputs, alert actions, and commands, create API Key(s) with the correct permissions in the Carbon Black Cloud and then configure Splunk to use those keys.
Identify the built-in data inputs
, alert actions
, and commands
you intend to use.
Reference Tables 1, 2, and 3 below to identify the required API Key Access Levels and RBAC Permissions.
Generate API Keys in the Carbon Black Cloud console under Settings
–> API Access
. Refer to the VMware Carbon Black Cloud Authentication Guide for additional guidance.
Access Level
If you are using any functions that require an Access Level Type “Custom”, create a Custom Access Level with the permissions required for the Inputs and Actions you want to use. The tables below list the necessary permissions that must be included in your Custom Access Level for each Action.
API Keys
You may need multiple API Keys depending on the Inputs and Actions you want to use because a different API key is required for each Access Level Type used (Custom, API, Live Response).
Custom
, then select the Access Level you created in step 1Live Response
API
ORG KEY
Remember your organization’s Org Key from the top of the API Keys table for later steps.
In Splunk
, navigate to the Administration
–> Application Configuration
menu in the VMware Carbon Black Cloud App
.
On the API Token Configuration
tab, create a new API configuration by clicking the +
in the top right corner.
Give the configuration meaningful API Name and Organization Name. You’ll use this to configure Alert Inputs and Actions.
Enter the Org Key, API ID, and API Secret Key from step 3.
The CBC Environment is the hostname of the Carbon Black Cloud console your organization is provisioned e.g. defense.conferdeploy.net
.
Repeat steps 2-4 for each API Key you created from step 3
The following tables indicate which type of API Key access level is required. If the type is Custom
then the permission that is required will also be included.
Table 1: API Data Inputs
Inputs | Description | Access Level and Permissions | Data Schema |
---|---|---|---|
Alerts API |
Alerts indicate suspicious behavior and known threats in your environment. Use the Data Forwarder option instead when you have a high volume or significant bursts as the Data Forwarder provides higher scalability. | Custom orgs.alerts (Read) |
Alert Schema |
Audit Logs |
Carbon Black Cloud Audit Logs, such as when a user signs-in or updates a policy | API or Live Response | Audit Log Schema |
Live Query Results |
LiveQuery Run and Result data. Requires VMware Carbon Black Cloud Audit & Remediation | Custom livequery.manage (Read) |
LiveQuery Result Schema |
Vulnerabilities |
Vulnerability assessment data including identified CVEs, metadata, and impacted assets. Requires VMware Carbon Black Cloud Workload Protection | Custom vulnerabilityAssessment.data (Read) |
Vulnerabilty Schema |
Table 2: Alert Actions/Adaptive Responses
Alert Action | Description | Access Level and Permission |
---|---|---|
Add IOCs to a Watchlist |
Adds specified IOC(s) to a specified report in a watchlist. Requires VMware Carbon Black Cloud Enterprise EDR | Custom orgs.watchlist (Create, Read, Update) |
Remove IOCs from a Watchlist |
Removes IOCs from a report in a watchlist. Requires VMware Carbon Black Cloud Enterprise EDR | Custom orgs.watchlist (Read, Update, Delete) |
Get File Metadata |
Retrieves file metadata, such as the number of devices the hash was observed on, from the specified sha256 file hash. Requires VMware Carbon Black Cloud Enterprise EDR | Custom ubs.org.sha256 (Read) |
Ban Hash |
Prevents a sha256 hash from being executed in Carbon Black Cloud. Currently requires Endpoint Standard; Enterprise EDR support expected CY21Q2. | Custom org.reputations (Create) |
Kill Process |
Remotely kills a process on the devices specified in the search | Live Response |
List Processes |
Remotely lists processes on the specified device. Example: If an Analytics alert did not terminate the process, identify if the suspicious process is still running on the device. | Live Response |
Quarantine Device |
Quarantines the specified device and prevents suspicious activity and malware from affecting the rest of your network. The device can only communicate with Carbon Black Cloud until unquarantined | Custom device (Read) , Custom device.quarantine (Execute) |
Un-quarantine Device(s) |
Removes the specified device(s) from the quarantined state, allowing them to communicate normally on the network. | Custom device (Read) , Custom device.quarantine (Execute) |
Update Device Policy |
Updates the policy associated with the specified device. Example: move a device to a more restrictive policy during incident investigation | Custom device (Read) , Custom device.policy (Update) |
Dismiss Alert |
Dismisses the specified alert in Carbon Black Cloud | Custom org.alerts (Read) , Custom org.alerts.dismiss (Execute) |
Enrich CB Analytics Event |
Searches and ingests the Enriched Events that are associated with the CB Analytics alert. Intended for use with the “CB Analytics - Ingest Enriched Events” Splunk Alert. Requires VMware Carbon Black Cloud Endpoint Standard | Custom org.search.events (Create, Read) |
Process GUID Details |
Fetches the most up to date, detailed metadata associated with the specified process GUID. Example: learn more about the process that triggered a Watchlist alert, such as parent and process cmdline Example: learn more about the process that triggered a Watchlist alert. | Custom org.search.events (Read, Execute) |
Run Livequery |
Creates a new LiveQuery Run. Example: Automatically get the logged in users on an endpoint after a credential scraping alert. Requires VMware Carbon Black Cloud Audit & Remediation | Custom livequery.manage (Create, Read) |
Table 3: Commands
Command | Description | Access Level and Permission |
---|---|---|
VMware CBC Device Info (cbcdvcinfo ) |
Gets real-time information about a CBC device. See Custom Commands section below for usage and best practices | Custom device (Read) |
VMware CBC Hash Info (cbchashinfo ) |
Gets real-time information about a sha256 hash, such as the number of devices that observed the file. Requires Enterprise EDR. | Custom ubs.org.sha256 (Read) |
Ensure that you have correctly deployed the Apps and/or Add-ons per the Deployment Guide before attempting any configuration.
Create two Event index(s) for your data.
carbonblackcloud
vmware_actions
For instructions on creating an Index see the Splunk documentation
Navigate to the Administration
–> Application Configuration
menu in the VMware Carbon Black Cloud App
On the VMware CBC Base Configuration
tab set the VMware CBC Base Index
and VMware CBC Action Index
to the index names from step 1 including index=
e.g. index=carbonblackcloud
[Optional] Configure a proxy if needed on the Proxies
tab
If you have not already configured any API Configurations in Splunk see the Authentication & Authorization section
Depending on what inputs you want to configure see the corresponding section:
Alerts
Data Forwarder
API
Navigate to the Alerts Inputs
tab in the Application Configuration menu
Create a new configuration by clicking the +
in the top right corner
Enter a name for this configuration
Set the Minimum Severity to the desired level Default: 4
Select the desired Alert types Default: All
Note: Don’t select All
if you don’t have both Endpoint Standard and Enterprise EDR
Select the Custom API Token configured in the Authentication & Authorization section
Note: Ensure your Splunk access level has the permissions specified in Table 1 above for Alerts API
[Optional] Select the proxy configured in step 4
Set Lookback to 0
unless you need to retrieve data from the previous day(s) Default: 7
days
Set the index equal to the Base Index name from VMware CBC Base Configuration
e.g. carbonblackcloud
Note: Do not include index=
Set the Interval to the desired poll cycle Default: 300
seconds
Note: If you organization generates a significant amount of alerts consider using the Data Forwarder option
[Optional] Add a query to refine the alerts that will be ingested
Note: The query uses the same syntax as the Alerts
page in the Carbon Black Cloud console
Audit Logs
Navigate to the Audit Log Inputs
tab in the Application Configuration menu
Create a new configuration by clicking the +
in the top right corner
Enter a name for this configuration
Select the API or Live Response API Token configured in the Authentication & Authorization section
[Optional] Select the proxy configured in step 4
Set the index equal to the Base Index name from VMware CBC Base Configuration
e.g. carbonblackcloud
Note: Do not include index=
Set the Interval to the desired poll cycle Default: 300
seconds
Events
Data Forwarder
Alert Action
See the Enrich CB Analytics Event
Alert Action for ingesting Enriched Events associated with CB Analytic Alerts
Live Query Results
Navigate to the Live Query Inputs
tab in the Application Configuration menu
Create a new configuration by clicking the +
in the top right corner
Enter a name for this configuration
Select the Custom API Token configured in the Authentication & Authorization section
Note: Ensure your Splunk access level has the permissions specified in Table 1 above for Live Query Results
[Optional] Select the proxy configured in step 4
Set Lookback to 0
unless you need to retrieve data from the previous day(s) Default: 7
days
Set the index equal to the Base Index name from VMware CBC Base Configuration
e.g. carbonblackcloud
Note: Do not include index=
Set the Interval to the desired poll cycle Default: 300
seconds
Add a Result query to refine the results that will be ingested e.g. *
for all results
Note: The query uses the same syntax as the Live Query
-> Query Results
page in the Carbon Black Cloud console
Vulnerabilities
Navigate to the Vulnerabilities Inputs
tab in the Application Configuration menu
Create a new configuration by clicking the +
in the top right corner
Enter a name for this configuration
Set the Minimum Risk to the desired level Default: 7
Select the Custom API Token configured in the Authentication & Authorization section
Note: Ensure your Splunk access level has the permissions specified in Table 1 above for Vulnerabilities
[Optional] Select the proxy configured in step 4
Set the index equal to the Base Index name from VMware CBC Base Configuration
e.g. carbonblackcloud
Note: Do not include index=
Set the Interval to the desired poll cycle Default: 300
seconds
[Optional] Add a query to refine the vulnerabilities that will be ingested
Note: The query uses the same syntax as the Vulnerabilities
page in the Carbon Black Cloud console
A Data forwarder must be created in order for the Carbon Black Cloud to stream data externally. The forwarder will be responsible for routing data to an S3 bucket where it can then be taken as input by Splunk using the AWS input add-on.
Requirements
Note: You can configure more than one forwarder for each type if you have complex filtering needs.
Configure your forwarder with filters to limit the amount of event data forwarded to Splunk in order to reduce costs. The forwarder can be created via Carbon Black Cloud Console under Settings
–> Data Forwarders
or the Carbon Black Cloud Data Forwarder API.
For more detailed instructions on setting up a Data Forwarder using the APIs see the following:
Note: The same forwarder cannot be used for both Alerts and Events. Create a separate forwarder for each type of data you want to forward.
Before configuring the AWS inputs, make sure that the AWS add-on is installed in your Splunk environment. For instructions on installing the AWS add-on see the Splunk documentation.
The recommended approach to ingest Carbon Black Cloud Data Forwarder data into Splunk is the SQS-based S3 data input.
Configuring an input in the AWS add-on to pull Carbon Black Cloud data using SQS-based S3
Create New input
-> Custom Data Type
-> SQS-based S3
Specify a name that should be used for this input
Select the AWS account you configured with the AWS Add-on
[Optional] If you configured IAM roles when configuring your AWS account select the created role
Select the AWS Region where you configured the SQS queue and S3 bucket
Select the SQS queue from the dropdown
Note: If you don’t see your SQS queue ensure you have selected the correct AWS region and the SQS queue was created in the region
Set the batch size for Splunk to pull from your SQS queue Default: 10
messages
Ensure the S3 File Decoder is set to Custom Logs
Use one of the following Source Types depending on the data you configured for the forwarder
vmware:cbc:s3:alerts
for Alerts
vmware:cbc:s3:events
for Events
Note: You will need to create separate inputs for Alerts and Events
Ensure the index you select matches the base index configured in the VMware Carbon Black Cloud app
Note: Alerts and Event should both be configured to the base index
In Advanced Settings
, you can increase the polling cycle for fetching messages from the SQS Default: 300
seconds
Note: If you need to reload older events and are using SQS to pull buckets, the events will not be available in the queue once they are retrieved. To view historical events or reload data, use the generic S3 option or copy the events to another prefix to copy it to the queue.
Useful Queries on Tech Zone
Use the Developer Community Forum to discuss issues and get answers from other API developers in the Carbon Black Community.
Access questions and answers specific to the VMware Carbon Black Cloud app at https://answers.splunk.com. Be sure to tag your question with VMware Carbon Black Cloud Splunk App.
Check out the frequently asked questions and common troubleshooting.
Report bugs and change requests to Carbon Black Support.
View all API and integration offerings on the Developer Network along with reference documentation, video tutorials, and how-to guides.
Diagnostics Generation
Please include a support diagnostic file when creating a support ticket. Use the following command to generate the file based on which Splunk app or add-on is installed. Send the resulting file to support.
$SPLUNK_HOME/bin/splunk diag --collect=app:vmware_app_for_splunk
$SPLUNK_HOME/bin/splunk diag --collect=app:IA-vmware_app_for_splunk
$SPLUNK_HOME/bin/splunk diag --collect=app:TA-vmware_app_for_splunk