Splunk SOAR - Installation & User Guide


Getting Started

This guide describes:

  • Steps to install and configure settings in the app
  • Various actions you can use once it is configured

Installation Guide

Install the Carbon Black Cloud app for Splunk SOAR.

• Open your Splunk SOAR console, go to Apps.

• Navigate to the New Apps menu and find `Carbon Black Cloud`, click Install.

• Go back to Unconfigured Apps, confirm that `Carbon Black Cloud` is present in the section. Instructions to configure a new asset are in Configure Splunk SOAR section.

Data Ingestion

There are two methods of data ingestion: from Carbon Black Cloud using REST APIs and from Splunk Enterprise using the Splunk App for Splunk SOAR.

Data Ingestion from Carbon Black Cloud

Data is ingested from Carbon Black Cloud using REST APIs.

Supported data and features:

Requirements:

  • Custom Type API Key for data inputs and SOAR Actions

Setup Data Ingestion

Follow the steps below to create API Keys with the appropriate permissions to start pulling in Carbon Black Cloud data.

For more information refer to Carbon Black Cloud Authentication page.

Custom Type Credentials

Note: For VMware Carbon Black Cloud customers who use VMware Cloud Services Platform for Identity and Access Management, OAuth App Id and OAuth App Secret can be used.

• Open your Carbon Black Cloud console, go to Settings > API Access, select "Access Levels" and click "Add Access Level".

• Fill in the "Name" and "Description" fields, grant the new Access Level with the following RBAC permissions and click Save.

Alerts (org.alerts) - READ
Alerts (org.alerts.dismiss) - EXECUTE
Applications (org.reputations) - CREATE, DELETE
Custom Detections (org.watchlists) - CREATE, READ, UPDATE, DELETE
Custom Detections (org.feeds) - CREATE, READ, UPDATE, DELETE
Device (device.quarantine) - EXECUTE
Device (device) - READ
Device (device.policy) - UPDATE
Live Response File (org.liveresponse.file) - READ, DELETE
Live Response Process (org.liveresponse.process) - EXECUTE, READ, DELETE
Live Response Session (org.liveresponse.session) - CREATE, READ, DELETE
Policies (org.policies) - READ
Search (org.search.events) - CREATE, READ
Unified Binary Store (ubs.org.sha256) - READ
Unified Binary Store (ubs.org.file) - READ

_Note: Refer to the SOAR actions table to determine permissions for the actions you want to enable._

• Go to the "API Keys" tab and click "Add API Key".

• Enter a "Name", click on the "Access Level type" dropdown, select "Custom", click on the "Custom Access Level" dropdown and select the level you created in step 2, then click Save.

• Copy the API Secret Key and API ID from the pop-up modal.

• Copy Carbon Black Cloud console URL(including the "https://"), and ORG KEY.


• Open the Splunk SOAR console. Go to Apps > Unconfigured Apps > Carbon Black Cloud click Configure New Asset.

• Go to "Asset Info" Tab and enter "Asset name".

• Go to "Asset Settings" Tab and add Carbon Black Cloud instance URL, Carbon Black Cloud Org Key, API ID and API Secret Key to their respective fields. Click on the corresponding checkbox to enable fetching a specific type of alerts (CB_ANALYTICS alerts, DEVICE_CONTROL alerts, WATCHLIST alerts (requires Enterprise EDR), CONTAINER_RUNTIME alerts (requires Container Security)). Set Minimum Alert Severity to the lowest severity to be ingested to Splunk SOAR.

• Go to "Ingest Settings" Tab and enable polling on the asset. Select a polling interval or schedule to configure polling on this asset. The suggested Polling interval is 3 minutes. Click Save.

• Go back to "Asset Settings" tab and click "Test Connectivity" to ensure successful connection.

Splunk App for Splunk SOAR

The Splunk App for Splunk SOAR is used to pull event data from Splunk Enterprise. Artifacts pulled in from Splunk Enterprise have all the Carbon Black Cloud alert data packed into a single value and lack the necessary mappings.

In order to operate on the Carbon Black Cloud events, the user needs to create a normalize artifact playbook. After the events have been processed by the playbook, all the containers ingested from Splunk Enterprise will be converted to the same format as the events ingested directly from Carbon Black Cloud with support for all the Carbon Black Cloud contextual actions.

Supported data and features:

Requirements:

  • Splunk Enterprise with Carbon Black Cloud App configured
  • Splunk App for Splunk SOAR
  • Custom Type API Key for data inputs and SOAR Actions

Setup Splunk App for Splunk SOAR

The Splunk App for Splunk SOAR is required to ingest data from Splunk into Splunk SOAR. It is available on Splunkbase.

The following section has steps for the recommended installation method via Apps within Splunk SOAR.

• Open your Splunk SOAR console, go to Apps.

• Navigate to the New Apps menu and find `Splunk`, click Install.

• Go back to Unconfigured Apps, confirm that `Splunk` is present in the section.

For information about configuring the app refer to the README in the project documentation.

The Command for query to use with On Poll setting needs to be set to search and the Query to use with On Poll setting needs to be set to index="*carbonblackcloud". Replace carbonblackcloud if non default index is configured in Splunk Enterprise to store Carbon Black Cloud events.

Note: If using Splunk App version 2.11.0 or newer, use token authentication rather than password authentication for increased security. Follow the steps in Splunk Documentation to generate an API token.


Create Normalize Artifact Playbook and Set It Active

When Splunk App is used to ingest data from Splunk SIEM, the events data is packed in one string. In order to be able to run actions on the events, they need to be normalized (individual fields mapped within Splunk SOAR). By creating normalize artifact playbook and setting it active every new event that is ingested is normalized automatically. By default the automation user lacks artifact permissions. Before creating the playbook grant permissions to the automation user.


• Navigate to Administration > User Management > Roles & Permissions. Click "Add New Role".


• Go to Basic Permissions Section and enable delete permissions for Events by selecting the "Delete" checkbox. Click Add Users.


• Select Automation user and click Add.


• Fill in the Role Name and Role Description fields accordingly. Click Create Role.


• Go to Playbooks > Add Playbook.

• Drag and release blue node to get started. Select Action.

• Select Carbon Black Cloud from Available Apps menu.

• Select "normalize artifact" from Available Actions menu.

• Select an asset from Available Assets menu.(Polling on the asset needs to be disabled.

• Normalize artifact has two input parameters that need to be mapped. Map raw to artifacts > _raw. Map artifact_id to the id field of the artifact headers. Click Save.

• Drag the blue node towards the "END" block. Enter the name of the playbook in the corresponding field.

• In the 'Operates on' dropdown in Playbook Settings section, select 'events'. Click Save.

• Enter a comment to save the playbook. Click Save.

• Navigate to the 'Playbooks' page and set the status of the created playbook to active.


Using the App

SOAR Actions

Access the SOAR actions by following the instructions below.

Note: Some SOAR actions are available as 'context actions'. For more information refer to the SOAR actions table.


• Open your Splunk SOAR console, go to Sources > New Events.


• Select an Event.


• Click Action. Select an action and the asset created during Data Ingestion configuration.


• Proceed with the input parameters and click Launch to run the action.


• Open your Splunk SOAR console, go to Sources > New Events.

• Select an Event.

• Navigate to Artifacts section and extend the view by clicking on the arrows.

• Select a parameter and click the arrow next to its value. Navigate to "Run Action" tab and select an action.

• Proceed with the input parameters and click Launch to run the action.

Details and requirements are listed below for each of the actions.

Actions

Note: The actions in *italics* are available as 'context actions'.

[*] Required Input Parameter

[**] One of the Input Parameters is required

Modules Supporting the SOAR Actions

Note: The enabled modules can be found in the Carbon Black Cloud console by clicking in the top right corner of the page.
Action Name Description Input Parameters Action Output Access Level Required Modules Supported
add ioc Add IOC to feed/watchlist in Carbon Black Cloud. feed_id**
watchlist_id**
report_id*
ioc_id
cbc_field*
oc_value*		 ioc_id Custom Detections: org.feeds - CREATE, READ, UPDATE
Custom Detections: org.watchlists - CREATE, READ, UPDATE		 Enterprise EDR
ban hash Ban process by hash in Carbon Black Cloud. process_hash* process_hash Applications: org.reputations - CREATE, DELETE
Unified Binary Store: ubs.org.sha256 - READ		 Enterprise EDR
create feed Create a feed in Carbon Black Cloud. feed_name*
feed_provider_url*
feed_summary*
feed_category*		 feed_id Custom Detections: org.feeds - CREATE Enterprise EDR
create report Create a report in Carbon Black Cloud. feed_id**
report_save_as_watchlist**
report_name*
report_severity*
report_summary*
report_tags
report_id Custom Detections: org.watchlists - CREATE Enterprise EDR
create watchlist Create a watchlist in Carbon Black Cloud. watchlist_name*
watchlist_description
watchlist_tags_enabled
watchlist_alerts_enabled
watchlist_report_ids
watchlist_id Custom Detections: org.watchlists - CREATE Enterprise EDR
delete feed Delete a feed in Carbon Black Cloud. feed_id* - Custom Detections: org.feeds - DELETE Enterprise EDR
delete file Delete File. device_id*
file_name*
device_id
file_name
Device: device - READ
Live Response Session: org.liveresponse.session - CREATE, READ, DELETE
Live Response File: org.liveresponse.file - DELETE		 Endpoint Standard Enterprise EDR
delete report Delete a report in Carbon Black Cloud feed or watchlist. report_id* - Custom Detections: org.watchlists - DELETE Enterprise EDR
delete watchlist Delete a watchlist in Carbon Black Cloud. watchlist_id* - Custom Detections: org.watchlists - DELETE Enterprise EDR
dismiss alert Dismiss Carbon Black Cloud alert. alert_id* alert_id Alerts: org.alerts - READ
Alerts: org.alerts.dismiss - EXECUTE		 Endpoint Standard Enterprise EDR
execute command Execute command on a device in Carbon Black Cloud. device_id*
command_line*
timeout
work_dir		 device_id
command_line
stdout		 Device: device - READ
Live Response Session: org.liveresponse.session - CREATE, READ, DELETE
Live Response Process: org.liveresponse.process - EXECUTE
Live Response File: org.liveresponse.file - READ		 Endpoint Standard Enterprise EDR
get binary file Get Binary File. file_hash* vault_id
file_hash
file_name		 Unified Binary Store: ubs.org.sha256 - READ
Unified Binary Store: ubs.org.file - READ		 Enterprise EDR
get binary metadata Get binary metadata from Carbon Black Cloud. file_hash* sha256
architecture
available_file_size
charset_id
comments
company_name
copyright
file_available
file_description
file_size
file_version
internal_name
lang_id
md5
original_filename
os_type
private_build
product_description
product_name
product_version
special_build
trademark		 Unified Binary Store: ubs.org.sha256 - READ Enterprise EDR
get enriched event Get Enriched Event from Carbon Black Cloud. alert_id* event_id
event_type
event_description
alert_id
alert_category
backend_timestamp
device_id
device_name
device_os
device_policy
process_name
process_hash
parent_pid
process_pid		 Alerts: org.alerts - READ
Search: org.search.events - CREATE, READ		 Endpoint Standard Enterprise EDR
get file Get File. device_id*
file_name*		 vault_id
file_name
device_id		 Device: device - READ
Live Response Session: org.liveresponse.session - CREATE, READ, DELETE
Live Response File: org.liveresponse.file - READ		 Endpoint Standard Enterprise EDR
get process metadata Get Process Metadata. process_guid* process_name
process_sha256
process_pid
process_cmdline
parent_pid
alert_id
alert_category
backend_timestamp
device_id
device_name
device_os
device_policy		 Search: org.search.events - CREATE, READ Endpoint Standard Enterprise EDR
kill process Kill process on Carbon Black Cloud endpoint. device_id*
process_pid**
process_name**
process_hash**
process_guid**		 process_pid
process_name
process_killed		 Device: device - READ
Live Response Session: org.liveresponse.session - CREATE, READ, DELETE
Live Response Process: org.liveresponse.process - READ, DELETE
Search: org.search.events - CREATE, READ		 Endpoint Standard Enterprise EDR
list policies List device policies in Carbon Black Cloud. - id
name
description
num_devices
priority_level		 Policies: org.policies - READ Endpoint Standard Enterprise EDR
list processes List processes on a device in Carbon Black Cloud. device_id* process_pid
process_path
sid
parent_pid
process_cmdline
process_username
process_create_time
parent_create_time		 Device: device - READ
Live Response Session: org.liveresponse.session - CREATE, READ, DELETE
Live Response Process: org.liveresponse.process - READ 		Endpoint Standard Enterprise EDR
normalize artifact Normalize artifact ingested by Splunk App for Splunk Phantom. raw*
artifact_id*		 artifact_id - Endpoint Standard Enterprise EDR
on poll Callback action for the on_poll ingest functionality. container_id
start_time
end_time
container_count**
artifact_count**		 - Alerts: org.alerts - READ Endpoint Standard Enterprise EDR
quarantine device Quarantine device in Carbon Black Cloud. device_id* device_id Device: device - READ
Device: device.quarantine - EXECUTE		 Endpoint Standard Enterprise EDR
remove ioc feed Remove IOC from feed in Carbon Black Cloud. feed_id*
report_id*
ioc_id**
ioc_value**		 - Custom Detections: org.feeds - CREATE, READ, UPDATE Enterprise EDR
remove ioc watchlist Remove IOC from watchlist in Carbon Black Cloud. watchlist_id*
report_id*
ioc_id**
ioc_value**		 - Custom Detections: org.watchlists - CREATE, READ, UPDATE Enterprise EDR
retrieve feed Retrieve a feed in Carbon Black Cloud. feed_id* feed_id
feed_name
access
summary
category
provider_url
reports_count		 Custom Detections: org.feeds - READ Enterprise EDR
retrieve iocs Retrieve IOCs for a given report in Carbon Black Cloud. watchlist_id**
feed_id**
report_id*		 ioc_id
match_type
field
values		 Custom Detections: org.watchlists - READ Enterprise EDR
retrieve watchlist Retrieve a watchlist in Carbon Black Cloud. watchlist_id* watchlist_id
watchlist_name
description
tags_enabled
alerts_enabled
create_timestamp
last_update_timestamp
report_ids		 Custom Detections: org.watchlists - READ Enterprise EDR
set device policy Set device policy of a Carbon Black Cloud endpoint. device_id*
policy_id**
policy_name**		 policy_id
policy_name
device_id		 Policies: org.policies - READ
Device: device.policy - UPDATE
Device: device - READ		 Endpoint Standard Enterprise EDR
test connectivity Validate the asset configuration for connectivity with the supplied configuration. - - Alerts: org.alerts - READ Endpoint Standard Enterprise EDR
unban hash Unban process by hash in Carbon Black Cloud. process_hash* process_hash Applications: org.reputations - READ, CREATE, DELETE
Unified Binary Store: ubs.org.sha256 - READ 		Endpoint Standard Enterprise EDR
unquarantine device Unquarantine device in Carbon Black Cloud. device_id* device_id Device: device - READ
Device: device.quarantine - EXECUTE		 Endpoint Standard Enterprise EDR
update feed Update a feed in Carbon Black Cloud. feed_id*
feed_name*
feed_provider_url*
feed_summary*
feed_category*		 feed_id Custom Detections: org.feeds - UPDATE Enterprise EDR
update watchlist Update a feed in Carbon Black Cloud. watchlist_id*
watchlist_name*
watchlist_description
watchlist_tags_enabled
watchlist_alerts_enabled
add_report_ids
remove_report_ids		 watchlist_id Custom Detections: org.watchlists - UPDATE Enterprise EDR

Viewing App Logs

The Carbon Black Cloud App uses standard Splunk SOAR logging system. For details about logging, go to Logging levels for Splunk SOAR.

Multi-Tenancy


Enable multi-tenancy to allow one security team to manage multiple independent customers while segregating their customers' assets and data. For example, a Managed Security Service Provider (MSSP) business can use multi-tenancy to perform incident response for multiple clients with one analyst team on a single Splunk SOAR (On-premises) instance and maintain customer separation. The MSSP SOC can administer each customer's data set without needing a separate login and permissions configuration.

To learn how to set up your multitenant environment, follow Splunk's Multitenant management.

Last modified on February 9, 2023