Splunk SOAR - Installation & User Guide
Getting Started
This guide describes:
- Steps to install and configure settings in the app
- Various actions you can use once it is configured
Installation Guide
Install the Carbon Black Cloud app for Splunk SOAR.

• Navigate to the New Apps menu and find `Carbon Black Cloud`, click Install.
• Go back to Unconfigured Apps, confirm that `Carbon Black Cloud` is present in the section. Instructions to configure a new asset are in Configure Splunk SOAR section.

Data Ingestion
There are two methods of data ingestion: from Carbon Black Cloud using REST APIs
and from Splunk Enterprise using the Splunk App for Splunk SOAR
.
Data Ingestion from Carbon Black Cloud
Data is ingested from Carbon Black Cloud using REST APIs.
Supported data and features:
Alerts
- SOAR Actions
Requirements:
- Custom Type API Key for data inputs and SOAR Actions
Setup Data Ingestion
Follow the steps below to create API Keys
with the appropriate permissions to start pulling in Carbon Black Cloud data.
For more information refer to Carbon Black Cloud Authentication page.
Note: For VMware Carbon Black Cloud customers who use VMware Cloud Services Platform for Identity and Access Management, OAuth App Id and OAuth App Secret can be used.
• Open your Carbon Black Cloud console, go to Settings > API Access, select "Access Levels" and click "Add Access Level".

• Fill in the "Name" and "Description" fields, grant the new Access Level with the following RBAC permissions and click Save.
Alerts (org.alerts) - READ
Alerts (org.alerts.dismiss) - EXECUTE
Applications (org.reputations) - CREATE, DELETE
Custom Detections (org.watchlists) - CREATE, READ, UPDATE, DELETE
Custom Detections (org.feeds) - CREATE, READ, UPDATE, DELETE
Device (device.quarantine) - EXECUTE
Device (device) - READ
Device (device.policy) - UPDATE
Live Response File (org.liveresponse.file) - READ, DELETE
Live Response Process (org.liveresponse.process) - EXECUTE, READ, DELETE
Live Response Session (org.liveresponse.session) - CREATE, READ, DELETE
Policies (org.policies) - READ
Search (org.search.events) - CREATE, READ
Unified Binary Store (ubs.org.sha256) - READ
Unified Binary Store (ubs.org.file) - READ
_Note: Refer to the SOAR actions table to determine permissions for the actions you want to enable._

• Go to the "API Keys" tab and click "Add API Key".

• Enter a "Name", click on the "Access Level type" dropdown, select "Custom", click on the "Custom Access Level" dropdown and select the level you created in step 2, then click Save.

• Copy the API Secret Key and API ID from the pop-up modal.

• Copy Carbon Black Cloud console URL(including the "https://"), and ORG KEY.

• Open the Splunk SOAR console. Go to Apps > Unconfigured Apps > Carbon Black Cloud click Configure New Asset.

• Go to "Asset Info" Tab and enter "Asset name".

• Go to "Asset Settings" Tab and add Carbon Black Cloud instance URL, Carbon Black Cloud Org Key, API ID and API Secret Key to their respective fields. Click on the corresponding checkbox to enable fetching a specific type of alerts (CB_ANALYTICS alerts, DEVICE_CONTROL alerts, WATCHLIST alerts (requires Enterprise EDR), CONTAINER_RUNTIME alerts (requires Container Security)). Set Minimum Alert Severity to the lowest severity to be ingested to Splunk SOAR.

• Go to "Ingest Settings" Tab and enable polling on the asset. Select a polling interval or schedule to configure polling on this asset. The suggested Polling interval is 3 minutes. Click Save.

• Go back to "Asset Settings" tab and click "Test Connectivity" to ensure successful connection.

Splunk App for Splunk SOAR
The Splunk App for Splunk SOAR
is used to pull event data from Splunk Enterprise
. Artifacts pulled in from Splunk Enterprise have all the Carbon Black Cloud alert data packed into a single value and lack the necessary mappings.
In order to operate on the Carbon Black Cloud events, the user needs to create a normalize artifact playbook. After the events have been processed by the playbook, all the containers ingested from Splunk Enterprise will be converted to the same format as the events ingested directly from Carbon Black Cloud with support for all the Carbon Black Cloud contextual actions.
Supported data and features:
- SOAR Actions
Alerts
Requirements:
- Splunk Enterprise with Carbon Black Cloud App configured
- Splunk App for Splunk SOAR
- Custom Type API Key for data inputs and SOAR Actions
Setup Splunk App for Splunk SOAR
The Splunk App for Splunk SOAR
is required to ingest data from Splunk into Splunk SOAR. It is available on
Splunkbase.
The following section has steps for the recommended installation method via Apps within Splunk SOAR.

• Navigate to the New Apps menu and find `Splunk`, click Install.

• Go back to Unconfigured Apps, confirm that `Splunk` is present in the section.
For information about configuring the app refer to the README in the project documentation.
The Command for query to use with On Poll setting needs to be set to search
and the Query to use with On Poll setting needs to be set to index="*carbonblackcloud"
. Replace carbonblackcloud
if non default index is configured in Splunk Enterprise to store Carbon Black Cloud events.
Note: If using Splunk App version 2.11.0 or newer, use token authentication
rather than password authentication
for increased security. Follow the steps in Splunk Documentation to generate an API token
.
Create Normalize Artifact Playbook and Set It Active
When Splunk App is used to ingest data from Splunk SIEM, the events data is packed in one string. In order to be able to run actions on the events, they need to be normalized (individual fields mapped within Splunk SOAR). By creating normalize artifact playbook
and setting it active every new event that is ingested is normalized automatically. By default the automation user lacks artifact permissions. Before creating the playbook grant permissions to the automation user
.
• Navigate to Administration > User Management > Roles & Permissions. Click "Add New Role".

• Go to Basic Permissions Section and enable delete permissions for Events by selecting the "Delete" checkbox. Click Add Users.

• Select Automation user and click Add.

• Fill in the Role Name and Role Description fields accordingly. Click Create Role.

• Go to Playbooks > Add Playbook.

• Drag and release blue node to get started. Select Action.

• Select Carbon Black Cloud from Available Apps menu.

• Select "normalize artifact" from Available Actions menu.

• Select an asset from Available Assets menu.(Polling on the asset needs to be disabled.

• Normalize artifact has two input parameters that need to be mapped. Map raw to artifacts > _raw. Map artifact_id to the id field of the artifact headers. Click Save.

• Drag the blue node towards the "END" block. Enter the name of the playbook in the corresponding field.

• In the 'Operates on' dropdown in Playbook Settings section, select 'events'. Click Save.

• Enter a comment to save the playbook. Click Save.

• Navigate to the 'Playbooks' page and set the status of the created playbook to active.

Using the App
SOAR Actions
Access the SOAR actions by following the instructions below.
Note: Some SOAR actions are available as 'context actions'. For more information refer to the SOAR actions table.
• Open your Splunk SOAR console, go to Sources > New Events.

• Select an Event.

• Click Action. Select an action and the asset created during Data Ingestion configuration.

• Proceed with the input parameters and click Launch to run the action.

• Open your Splunk SOAR console, go to Sources > New Events.

• Select an Event.

• Navigate to Artifacts section and extend the view by clicking on the arrows.

• Select a parameter and click the arrow next to its value. Navigate to "Run Action" tab and select an action.

• Proceed with the input parameters and click Launch to run the action.

Details and requirements are listed below for each of the actions.
Actions
Note: The actions in *italics* are available as 'context actions'.[*] Required Input Parameter
[**] One of the Input Parameters is required
Modules Supporting the SOAR Actions
Note: The enabled modules can be found in the Carbon Black Cloud console by clicking in the top right corner of the page.Action Name | Description | Input Parameters | Action Output | Access Level Required | Modules Supported | Available from version |
---|---|---|---|---|---|---|
add ioc | Add IOC to feed/watchlist in Carbon Black Cloud. | feed_id **
watchlist_id **
report_id *
ioc_id
cbc_field *
oc_value * |
ioc_id |
Custom Detections: org.feeds - CREATE, READ, UPDATE
Custom Detections: org.watchlists - CREATE, READ, UPDATE |
Enterprise EDR | 1.0.0 |
ban hash | Ban process by hash in Carbon Black Cloud. | process_hash * |
process_hash |
Applications: org.reputations - CREATE, DELETE
Unified Binary Store: ubs.org.sha256 - READ |
Enterprise EDR | 1.0.0 |
create feed | Create a feed in Carbon Black Cloud. | feed_name *
feed_provider_url *
feed_summary *
feed_category * |
feed_id |
Custom Detections: org.feeds - CREATE |
Enterprise EDR | 1.0.0 |
create report | Create a report in Carbon Black Cloud. | feed_id **
report_save_as_watchlist **
report_name *
report_severity *
report_summary *
report_tags
|
report_id |
Custom Detections: org.watchlists - CREATE |
Enterprise EDR | 1.0.0 |
create watchlist | Create a watchlist in Carbon Black Cloud. | watchlist_name *
watchlist_description
watchlist_tags_enabled
watchlist_alerts_enabled
watchlist_report_ids
|
watchlist_id |
Custom Detections: org.watchlists - CREATE |
Enterprise EDR | 1.0.0 |
delete feed | Delete a feed in Carbon Black Cloud. | feed_id * |
- | Custom Detections: org.feeds - DELETE |
Enterprise EDR | 1.0.0 |
delete file | Delete File. | device_id *
file_name *
|
device_id
file_name
|
Device: device - READ
Live Response Session: org.liveresponse.session - CREATE, READ, DELETE
Live Response File: org.liveresponse.file - DELETE |
Endpoint Standard Enterprise EDR | 1.0.0 |
delete report | Delete a report in Carbon Black Cloud feed or watchlist. | report_id * |
- | Custom Detections: org.watchlists - DELETE |
Enterprise EDR | 1.0.0 |
delete watchlist | Delete a watchlist in Carbon Black Cloud. | watchlist_id * |
- | Custom Detections: org.watchlists - DELETE |
Enterprise EDR | 1.0.0 |
dismiss alert | Dismiss Carbon Black Cloud alert. | alert_id * |
alert_id |
Alerts: org.alerts - READ
Alerts: org.alerts.dismiss - EXECUTE |
Endpoint Standard Enterprise EDR | 1.0.0 |
dismiss future alerts | Dismiss all future Carbon Black Cloud alerts that are associated with the same threat. | alert_id *
remediation_status **
comment ** |
- | Alerts: org.alerts - READ
Alerts: org.alerts.dismiss - EXECUTE |
Endpoint Standard Enterprise EDR | 1.1.0 |
execute command | Execute command on a device in Carbon Black Cloud. | device_id *
command_line *
timeout
work_dir |
device_id
command_line
stdout |
Device: device - READ
Live Response Session: org.liveresponse.session - CREATE, READ, DELETE
Live Response Process: org.liveresponse.process - EXECUTE
Live Response File: org.liveresponse.file - READ |
Endpoint Standard Enterprise EDR | 1.0.0 |
get asset info | Get detailed information about the asset (device) from Carbon Black Cloud. | device_id * |
device_id
device_name
os
internal_ip_address
external_ip_address
status
last_contact_time
sensor_version
sensor_states |
Device: device - READ |
Endpoint Standard Enterprise EDR | 1.1.0 |
get binary file | Get Binary File. | file_hash * |
vault_id
file_hash
file_name |
Unified Binary Store: ubs.org.sha256 - READ
Unified Binary Store: ubs.org.file - READ |
Enterprise EDR | 1.0.0 |
get binary metadata | Get binary metadata from Carbon Black Cloud. | file_hash * |
sha256
architecture
available_file_size
charset_id
comments
company_name
copyright
file_available
file_description
file_size
file_version
internal_name
lang_id
md5
original_filename
os_type
private_build
product_description
product_name
product_version
special_build
trademark |
Unified Binary Store: ubs.org.sha256 - READ |
Enterprise EDR | 1.0.0 |
get cleared eventlogs | From the specified Windows device, get the event logs that have been cleared. | device_id * |
datetime
domain
user
sid |
Live Query: livequery.manage - CREATE,READ,UPDATE,DELETE |
Audit and Remediation | 1.1.0 |
get enriched event | Get Enriched Event from Carbon Black Cloud. | alert_id * |
event_id
event_type
event_description
alert_id
alert_category
backend_timestamp
device_id
device_name
device_os
device_policy
process_name
process_hash
parent_pid
process_pid |
Alerts: org.alerts - READ
Search: org.search.events - CREATE, READ |
Endpoint Standard Enterprise EDR | 1.0.0 |
get file | Get File. | device_id *
file_name * |
vault_id
file_name
device_id |
Device: device - READ
Live Response Session: org.liveresponse.session - CREATE, READ, DELETE
Live Response File: org.liveresponse.file - READ |
Endpoint Standard Enterprise EDR | 1.0.0 |
get process metadata | Get Process Metadata. | process_guid * |
process_name
process_sha256
process_pid
process_cmdline
parent_pid
alert_id
alert_category
backend_timestamp
device_id
device_name
device_os
device_policy |
Search: org.search.events - CREATE, READ |
Endpoint Standard Enterprise EDR | 1.0.0 |
get rdp info | Get RDP Connection Information. | device_id * |
process_pid
process_name
process_cmdline
local_address
remote_address
local_port
remote_port |
Live Query: livequery.manage - CREATE,READ,UPDATE,DELETE |
Audit and Remediation | 1.1.0 |
get scheduled task | From the specified device, get a list of tasks that are scheduled. | device_id * |
event_channel
datetime
task
severity
provider_name
provider_guid
host
event_id
keywords
data
process_pid
threat_id
time_range
timestamp
xpath |
Live Query: livequery.manage - CREATE,READ,UPDATE,DELETE |
Audit and Remediation | 1.1.0 |
kill process | Kill process on Carbon Black Cloud endpoint. | device_id *
process_pid **
process_name **
process_hash **
process_guid ** |
process_pid
process_name
process_killed |
Device: device - READ
Live Response Session: org.liveresponse.session - CREATE, READ, DELETE
Live Response Process: org.liveresponse.process - READ, DELETE
Search: org.search.events - CREATE, READ |
Endpoint Standard Enterprise EDR | 1.0.0 |
list logged users | List users that are logged in to the specified device. | device_id * |
login_type
user
device_name
host
time
process_pid
sid
registry_hive
process_name
cmdline |
Live Query: livequery.manage - CREATE,READ,UPDATE,DELETE |
Audit and Remediation | 1.1.0 |
list persistence locations | List Windows Persistence Locations | device_id * |
path
name
source
|
Live Query: livequery.manage - CREATE,READ,UPDATE,DELETE |
Audit and Remediation | 1.1.0 |
list policies | List device policies in Carbon Black Cloud. | - | id
name
description
num_devices
priority_level |
Policies: org.policies - READ |
Endpoint Standard Enterprise EDR | 1.0.0 |
list processes | List processes on a device in Carbon Black Cloud. | device_id * |
process_pid
process_path
sid
parent_pid
process_cmdline
process_username
process_create_time
parent_create_time |
Device: device - READ
Live Response Session: org.liveresponse.session - CREATE, READ, DELETE
Live Response Process: org.liveresponse.process - READ |
Endpoint Standard Enterprise EDR | 1.0.0 |
normalize artifact | Normalize artifact ingested by Splunk App for Splunk Phantom. | raw *
artifact_id * |
artifact_id |
- | Endpoint Standard Enterprise EDR | 1.0.0 |
on poll | Callback action for the on_poll ingest functionality. | container_id
start_time
end_time
container_count **
artifact_count ** |
- | Alerts: org.alerts - READ |
Endpoint Standard Enterprise EDR | 1.0.0 |
quarantine device | Quarantine device in Carbon Black Cloud. | device_id * |
device_id |
Device: device - READ
Device: device.quarantine - EXECUTE |
Endpoint Standard Enterprise EDR | 1.0.0 |
remove ioc feed | Remove IOC from feed in Carbon Black Cloud. | feed_id *
report_id *
ioc_id **
ioc_value ** |
- | Custom Detections: org.feeds - CREATE, READ, UPDATE |
Enterprise EDR | 1.0.0 |
remove ioc watchlist | Remove IOC from watchlist in Carbon Black Cloud. | watchlist_id *
report_id *
ioc_id **
ioc_value ** |
- | Custom Detections: org.watchlists - CREATE, READ, UPDATE |
Enterprise EDR | 1.0.0 |
retrieve feed | Retrieve a feed in Carbon Black Cloud. | feed_id * |
feed_id
feed_name
access
summary
category
provider_url
reports_count |
Custom Detections: org.feeds - READ |
Enterprise EDR | 1.0.0 |
retrieve iocs | Retrieve IOCs for a given report in Carbon Black Cloud. | watchlist_id **
feed_id **
report_id * |
ioc_id
match_type
field
values |
Custom Detections: org.watchlists - READ |
Enterprise EDR | 1.0.0 |
retrieve watchlist | Retrieve a watchlist in Carbon Black Cloud. | watchlist_id * |
watchlist_id
watchlist_name
description
tags_enabled
alerts_enabled
create_timestamp
last_update_timestamp
report_ids |
Custom Detections: org.watchlists - READ |
Enterprise EDR | 1.0.0 |
set device policy | Set device policy of a Carbon Black Cloud endpoint. | device_id *
policy_id **
policy_name ** |
policy_id
policy_name
device_id |
Policies: org.policies - READ
Device: device.policy - UPDATE
Device: device - READ |
Endpoint Standard Enterprise EDR | 1.0.0 |
test connectivity | Validate the asset configuration for connectivity with the supplied configuration. | - | - | Alerts: org.alerts - READ |
Endpoint Standard Enterprise EDR | 1.0.0 |
unban hash | Unban process by hash in Carbon Black Cloud. | process_hash * |
process_hash |
Applications: org.reputations - READ, CREATE, DELETE
Unified Binary Store: ubs.org.sha256 - READ |
Endpoint Standard Enterprise EDR | 1.0.0 |
unquarantine device | Unquarantine device in Carbon Black Cloud. | device_id * |
device_id |
Device: device - READ
Device: device.quarantine - EXECUTE |
Endpoint Standard Enterprise EDR | 1.0.0 |
update feed | Update a feed in Carbon Black Cloud. | feed_id *
feed_name *
feed_provider_url *
feed_summary *
feed_category * |
feed_id |
Custom Detections: org.feeds - UPDATE |
Enterprise EDR | 1.0.0 |
update watchlist | Update a feed in Carbon Black Cloud. | watchlist_id *
watchlist_name *
watchlist_description
watchlist_tags_enabled
watchlist_alerts_enabled
add_report_ids
remove_report_ids |
watchlist_id |
Custom Detections: org.watchlists - UPDATE |
Enterprise EDR | 1.0.0 |
Viewing App Logs
The Carbon Black Cloud App uses standard Splunk SOAR logging system. For details about logging, go to Logging levels for Splunk SOAR.
Multi-Tenancy
Enable multi-tenancy to allow one security team to manage multiple independent customers while segregating their customers' assets and data. For example, a Managed Security Service Provider (MSSP) business can use multi-tenancy to perform incident response for multiple clients with one analyst team on a single Splunk SOAR (On-premises) instance and maintain customer separation. The MSSP SOC can administer each customer's data set without needing a separate login and permissions configuration. To learn how to set up your multitenant environment, follow Splunk's Multitenant management.
Give Feedback
Use this form to give us feedback about this site or any of the documentation.
Last modified on May 5, 2023