The VMware Carbon Black EDR App for Splunk lets administrators leverage the industry’s leading EDR solution to detect and take action on endpoint activity directly from within Splunk.
You can install the latest version from here.
Builtin dashboards provide you with a quick health check on your Carbon Black EDR server, the status of your Carbon Black EDR deployment, and an overview of detected threats on your network. Eight example dashboards are distributed with this app; not all of these are populated with data, depending on what events are being forwarded to Splunk via the Carbon Black Event Forwarder.
You can use custom commands in your Splunk pipeline to access Splunk’s visualization and searching capability on Carbon Black EDR data, without ingesting all of the raw endpoint data into Splunk.
sensorsearch: Search for sensors by IP address or hostname.
processsearch: Search for processes in your Carbon Black EDR server.
binarysearch: Search for binaries in your Carbon Black EDR server.
The Carbon Black EDR Splunk app currently includes three Adaptive Response Alert Actions that allow you to take action directly from the Splunk console. The actions occur as either a result of automated correlation searches or on an ad-hoc basis through the Splunk Enterprise Security Incident Review page.
Included in this release are 58 saved searches to jump-start Threat Hunting from within the Splunk environment.
This app includes workflow actions to provide additional context from Carbon Black EDR on events that originated from any product that pushes data to your Splunk server. These context menu items include the following:
This app requires a functional Carbon Black EDR server, version 5.1 or above, and Splunk version 8.x or above. The app works with Carbon Black EDR clusters. The Carbon Black EDR Unified View (Federated) server is not currently supported.
After the Carbon Black EDR app for Splunk is installed, you must configure it to connect to your Carbon Black EDR server by using the Carbon Black EDR REST API. For more information on the Carbon Black EDR REST API and how to generate an API key, see the Carbon Black Developer Network.
The Carbon Black EDR app for Splunk uses a Carbon Black EDR API key to do the following:
binarysearchcustom commands by performing searches via the Carbon Black EDR API.
To configure the Carbon Black EDR app for Splunk to connect to your Carbon Black EDR server:
URLfield. For example, enter:
Note: SSL validation is enabled by default.
To disable SSL Validation, create
$SPLUNK_HOME/etc/apps/DA-ESS-CbResponse/local/DA-ESS-CbResponse_Settings.conf with the following content:
The Carbon Black EDR app for Splunk uses Splunk’s encrypted credential storage facility to securely store the API token for your Carbon Black EDR server.
To change the API key or Carbon Black EDR server URL after the Splunk app has been set up, visit the setup page at
After the app is installed, a new icon showing the VMware Carbon Black EDR logo appears on the left-hand side of the Splunk front page. Clicking the logo brings you to the default dashboard of the Carbon Black EDR for the Splunk app. Additional dashboards include an overview of endpoint status, including a breakdown of OS and sensor versions, as well as data on the latest new binaries seen in the environment.
The Process, Binary, and Sensor Search dashboards allow you to perform Carbon Black searches directly from within Splunk. These dashboards use the respective custom commands to perform the search through the REST API without ingesting the data into Splunk. The results are displayed on the same screen. You can also use Carbon Black search features using custom search commands.
The Splunk app includes three custom commands to perform searches on the Carbon Black datastore from Splunk:
sensorsearch. These three commands have corresponding views in the Carbon Black app: Binary Search, Process Search, and Sensor Search.
To use the custom commands in your Splunk searches, first make sure that you’re using the Carbon Black EDR context by invoking the search through the Splunk > Search menu in the Carbon Black EDR app. You can use any of the search commands by appending the Carbon Black EDR query as a “query” parameter. For example:
| sensorsearch query=”ip:172.22.5.141”
sends an API request to Carbon Black EDR to query for all sensors that have reported an IP address of 172.22.5.141. The result of this query can be piped through to other Splunk commands for aggregation, visualization, and correlation.
To update the base EDR index for macros and eventtypes, change
Several example reports and saved searches are included in this app release. You can find a full list of these searches in Settings > Searches, Reports, and Alerts menu item from the Carbon Black EDR app. None of these are run or scheduled to run by default, and some will not return any data unless certain data types (netconns, procstarts, etc.) are forwarded via the Carbon Black Event Forwarder into Splunk.
The Carbon Black EDR app for Splunk now integrates with Splunk’s Adaptive Response framework and provides three Adaptive Response Alert Actions:
Each of these Actions can be performed either on an ad-hoc basis on a notable event surfaced in Enterprise Security, or on an automated basis as part of a Splunk Correlation Search. In addition, the Isolate Endpoint and Ban MD5 Hash actions can be invoked based on search results from any Splunk search, as long as a field is present that provides an IP address (for Isolate Endpoint) or an MD5 hash (for Ban Hash). Currently, only events that are surfaced via the Carbon Black Event Forwarder can be used as input for the Kill Process alert action.
Workflow Actions allow you to pivot into Carbon Black searches from standardized fields. The Carbon Black EDR app for Splunk includes Workflow Actions with context about events in any Splunk view, including Enterprise Security’s Notable Event table.
To Perform a workflow action, drilldown into an event and click the Event Actions button. The available workflow actions from this app are displayed. You can pivot directly from a field if a workflow action is available for that field.
The following Workflow Actions are included:
In addition, for events that were generated by Carbon Black EDR (forwarded into Splunk via the Carbon Black Event Forwarder), additional Workflow Actions provide deep links into the Carbon Black EDR console directly from the event in Splunk, where applicable. These deep links require the Carbon Black Event Forwarder to be configured to generate these links at event generation time (see the Carbon Black Event Forwarder configuration file for more details).
This app contains one data model, which represents Carbon Black alerts plus watchlist/feed hits. The data model
CbR_Alert is generated by searching for Carbon Black EDR
events with the query
tag=alert. This data model is accelerated by default.
In addition, the saved search
CbResponse Alert Activity is scheduled to run once per day by default.
The Carbon Black EDR App for Splunk writes its log files into the standard Splunk log directory. The following log files (at
$SPLUNK_HOME/var/log/splunk) are used by the App:
da-ess-cbresponse.log: main log file for common Carbon Black EDR helper functions, including the search Custom Commands
isolate_modalert.log: log file for the Isolate Endpoint Adaptive Response Action
banhash_modalert.log: log file for the Ban Hash Adaptive Response Action
killprocess_modalert.log: log file for the Kill Process Adaptive Response Action