Carbon Black Cloud Splunk App - Troubleshooting
Frequently Asked Questions
- What features are included with the new Splunk app?
- For the full list of features available in the current version of the app, view the details on SplunkBase.
- Highlights of the features in this app:
- Data Inputs
- Support for high volume, low latency Alerts & Endpoint Events via the Data Forwarder
- Support for Alerts, Audit Logs, Live Query Results, and Vulnerability Assessment data via a built-in input using the Carbon Black Cloud APIs
- Supported on Splunk 8.0, 8.1, 8.2, Splunk Cloud, and Splunk ES 6.x
- Proxy and Multi-tenancy
- Enables alert actions & adaptive response to automate context gathering and remediation
- For example, if Carbon Black Cloud detects LSASS memory scraping, automatically get the logged in users and move the device to a more restrictive policy
- Data Inputs
- Is there is a way to bring in the Carbon Black Cloud audit logs to Splunk?
- Yes. See Audit Logs under the Input Configuration
- Do we have a document outlining how to install & configure the new version of Splunk for Carbon Black Cloud?
- Splunk Configuration
- User Guide
- A video demoing the configuration is available here
- Is it a requirement to use the data forwarder?
- The Forwarder is the recommended approach for ingesting Alerts and Endpoint Events into Splunk due to its reliability, scale, and low latency. This approach is required to ingest Endpoint Event data.
The alternative is to use the built-in inputs packaged with the VMware Carbon Black Cloud App or Input Add-on, which leverages the Carbon Black Cloud REST APIs. This approach supports ingesting the enriched events associated with CB Analytics Alerts through an Alert Action.
- The Forwarder is the recommended approach for ingesting Alerts and Endpoint Events into Splunk due to its reliability, scale, and low latency. This approach is required to ingest Endpoint Event data.
- Can the VMware Carbon Black Cloud Splunk App ingest only the Alerts and not the event data or the audit information?.
- The app does not require all of the data however parts of the dashboards may not be available if it relies on data types that are not ingested.
-
What is the URL that we should be using for API configuration?
- When configuring the Carbon Black Cloud Environment URL for API Token Configuration, use the dashboard URL without the
https://Full detail on the URLs for each environment are available here.
- When configuring the Carbon Black Cloud Environment URL for API Token Configuration, use the dashboard URL without the
- We are using an earlier Splunk TA which was last updated in 2015. Do you know if and when a new Splunk TA will be updated?
- A new VMware Carbon Black Cloud app available on SplunkBase supports distributed environments and includes new Input and Technology add-ons.
Customers who are on Splunk 8.0+ should move to the new app to take advantage of improved data ingest options and a larger range of adaptive response features. Customers on Splunk 7.0 should upgrade the version of Splunk to use the new Carbon Black Cloud app.
- A new VMware Carbon Black Cloud app available on SplunkBase supports distributed environments and includes new Input and Technology add-ons.
- Is there a limit to the number of alerts that are pulled from the API on each sync when using the built-in Input?
- Yes,
10,000
If your organization has more than 10,000 alerts each polling interval, you can:- Tune alerts to reduce overall alert volume
- CB Analytics alerts that are known-good in your environment can be tuned from the Carbon Black Cloud console using the
Dismiss all future alertsfunctionality - Follow recommendations from our Threat Research team here
- CB Analytics alerts that are known-good in your environment can be tuned from the Carbon Black Cloud console using the
- Modify the configured Alert Input
- Increase the minimum severity
- Use the Query to filter out alerts you aren’t finding value in
- Change the polling interval from the default of 300 seconds to 120 or 60 seconds.
- Switch to ingesting Alerts via the Forwarder
- Tune alerts to reduce overall alert volume
- Yes,
- Is there a limit to the number of Audit Logs that are pulled on each sync?
- Yes,
2500.
- Yes,
- What version of Splunk is supported for Carbon Black Cloud?
- Splunk version
8.0 or higher. If you are using Splunk version 7.x, you will need to upgrade the version of Splunk to use the new Carbon Black Cloud app.
- Splunk version
- Do we have any Splunk documentation to reference for customers that wish to ingest the Carbon Black Cloud Data Forwarder data into Splunk?
- Configuring the forwarder for Events and Alerts is available here.
- An end-to-end configuration video is available on the Carbon Black User Exchange
- A step-by-step guide on configuring ingest from an AWS S3 bucket to Splunk
- Data Forwarder Configuration API Documentation
- Does the app use the Splunk CIM?
- Yes, it uses the
EventandAlertmodels from the Splunk CIM.
- Yes, it uses the
- Is the app certified by Splunk?
- The app has been verified by AppInspect and is under assessment for Splunk Cloud.
- What is the difference between the
Message TimeandTimestampfield in Splunk?- Carbon Black Cloud alerts and events contain a variety of timestamps to provide insight into various stages of the data. For example, an alert will contain the timestamp of when the first event was detected as well as the most recent alert update.
The App/TA will extract the most relevant timestamp field into the standard Splunk_timefield.
Descriptions of each timestamp can be found on the Developer Network documentation:
- Carbon Black Cloud alerts and events contain a variety of timestamps to provide insight into various stages of the data. For example, an alert will contain the timestamp of when the first event was detected as well as the most recent alert update.
- I’m not seeing the data I expect to be ingested.
- Check the
Administration–>Application Health Overviewtab in the VMware Carbon Black Cloud application for errors.
- Check the
- If you received one of the followinge errors:
Received error code 403,401 Unauthorized,User is not authenticatedorCheck your API credentials- Check that the configuration of API Token Configurations specifically the API key Access Levels is correct in the Carbon Black Cloud console, and that the correct key is assigned for the Splunk data input or alert action. See Authentication & Authorization for more information.
- How can I get support for problems I’m having with the App?
- The Carbon Black Cloud Splunk App is supported by Carbon Black; if you have a problem, open a support ticket like you would any other Carbon Black Cloud issue.
- The Carbon Black Cloud Splunk App is supported by Carbon Black; if you have a problem, open a support ticket like you would any other Carbon Black Cloud issue.
- If you are seeing the error message
More than 1 VMware CBC App detected- Refer to the Deployment Guide for which Apps/Add-ons should be installed on which node and fully delete (not just disable) extra copies of VMware CBC apps/add-ons from nodes where they are not needed. Then restart Splunk on that node.
-
Received network connection error from …
Ensure the hostname configured with your API token on the
Application Configuration->API Token Configurationpage does not includehttps://or a trailing slash. For more details verifying your URL see the Authentication GuideAre you using a proxy?
- The Proxy tab is configured in accordance with your proxy
- The Input or Alert Action is configured to use that proxy
- Restart Splunk
If the issue persists, check your proxy logs to see if there are requests from the Splunk server.
- Command line or username not available in the Alert
- See the Investigating CB Analytics Alerts query on Tech Zone.
Support
- View all API and integration offerings on the Developer Network along with reference documentation, video tutorials, and how-to guides.
- Use the Developer Community Forum to discuss issues and get answers from other API developers in the Carbon Black Community.
- Report bugs and change requests to Carbon Black Support.