Carbon Black Cloud Splunk App - Release Notes

Release notes

Version 2.0.0

Version 2.0 contains breaking changes. See What to do before upgrading to v2.0.0 before starting your upgrade.

Note: v1.x has been deprecated and will be deactivated July 31, 2024. Upgrade to v2.0 before then to avoid data loss.

Breaking Changes:

Alerts input has been changed to Alert API v7 and Data Forwarder Alert Schema v2.0.0. Some fields in the earlier versions have been renamed or removed from the new versions.
Live Response requires an API key with an Access Level of type CUSTOM.
Audit Log ingest should be updated after this upgrade to use an API key with an Access Level of type CUSTOM. It must be updated before October 31st 2024 when the Access Level type API will be deactivated.
Deprecated the Alert Action Enrich CB Analytics Event. The action VMwareCBC Enrich Alert Observations has been added and can enrich more Alert types.

New Features

Upgraded to use the Alerts v7 API & Data Forwarder Schema v2
- Customers using the built-in alert input will have access to significantly improved metadata and alert types. A complete list of new, renamed, and removed fields is available in the Migration Guide.
- See these blogs for more information about the benefits of the Alert v7 API and data Forwarder Alert Schema v2.
- Some customers may see a decrease in alert volume, as Observed alerts have migrated to Observations.
  - In the CBC Splunk app 1.x, these alerts were denoted by category = MONITORED
- All Alert types are ingested: CB Analytics, Container Runtime, Watchlist, Device Control, Host Based Firewall, Intrusion Detection System
New action to enrich Carbon Black Cloud Alerts with Observations

Improvements

Live Response action now uses a Custom API key. This enables improved security posture by granting API keys only the permissions required.
Audit Log ingest now uses a Custom API key. This enables improved security posture by granting API keys only the permissions required.

Note: For full v2.0.0 upgrade documentation, see the Installation and Configuration Guide

Version 1.1.10

New Features
- New Modular Input for Authentication Events
- New Alert Action to enrich Alerts with related Observations
  - More detail about observations is available here
Improvements
- On the configuration page, the label Disabled has been changed to Active
Fixes
- Fixed logic regression with Live Query Inputs
- In multiple modular inputs, decimal notation IP address are converted to string notation
- Improved mapping between Data Forwarder input and Dashboards

Version 1.1.9

Fixes
- Updated Alert Actions for better consistency
- Reviewed and updated for CIM 5.1

Version 1.1.8

Fixes
- Fix Carbon Black Cloud configuration of Alert Actions from not being displayed in Splunk Cloud

Version 1.1.7

Fixes
- Updated vulnerability input to better perform paginating of large data sets. 10K is now the default limit per request.
- Update Alert Actions for better Enterprise Security integration.
- Fixed bug in main index configuration interface.

Version 1.1.6

Fixes
- Updated Alert Action to allow Splunk index naming conventions.

Version 1.1.5

Fixes
- Updated client handler to process more than 2500 remediation results without a failure in code.
- Updated client handler to capture 410 errors on live query result histories, and save the checkpoint.
- Backoff timing when making API calls for the ProcessGUID action for calls that take a longer period to complete.

Version 1.1.4

Improvements
- Improved reliability of saving new & updated app configurations
- Added source type for Watchlist Hits via the Data Forwarder, vmware:cbc:s3:watchlist:hits

Version 1.1.3

Fixes
- Set trigger to reload custom config files
- Removed settings that are not used
- Removed links to a deprecated library

Version 1.1.2

Improvements
- Set SimpleXML Version Tag
Fixes
- Check Splunk 8.1 and 8.2 compatability with jQuery 3.5
- Add validation checks for trailling slash on Carbon Black Cloud URL
- Prevent App showing CBC and EDR alert Actions
- Fix broken tabs in Splunk 8.2

Version 1.1.1

Known Issues
- Splunk App Alert Input returns 500 error
Improvements
- Updated CBC SDK to v1.2.3 - Release Notes
- Added a warning when more than one VMware CBC App is installed on the node. If you see this message, reference the Deployment Guide below and delete extra copies of VMware CBC apps/add-ons
- Added an app configuration demo video
- Added a Splunk FAQ to Developer Network
Fixes
- Fixed Proxy issue
- Fixed error with Checkboxes on Proxy Configuration Tab
- Updated logging modules to respect log.cfg settings

Version 1.1.0

New Features
- Data Input - Audit Logs
- Data Input - Live Query Results
- Data Input - Vulnerability Assessment
- Dashboard - Devices
- Dashboard - Processes
- Dashboard - Vulnerabilities
- Alert Action - Run Live Query
- Alert Action - Dismiss Alert
- Alert Action - Update Device Policy
- Alert Action - Process GUID Details
- Alert Action - Ban Hash
- Alert Action - Enrich CB Analytic Events
- Command - CBC Device Info
- Command - CBC Hash Info
Improvements
- Events Dashboard performance improvements
- Update “Top 10 CB Analytics” panel
- Stability improvements in Alerts Inputs

Version 1.0.0

Initial Release

Give Feedback

New survey coming soon!

Last modified on January 26, 2024

Carbon Black Cloud

Page Contents