The Carbon Black App for Splunk allows administrators to leverage the industry's leading EDR solution to see, detect and take action upon endpoint activity from directly within Splunk.
Note : As of version 2.1.0, SSL Validation for communication with the Cb Response server is now enabled by default. This is required for Splunk Cloud certification. If you are using this app with your on-premise Cb Response server, you will have to manually disable SSL validation in the app's .conf file.
To disable SSL validation for on-premise installs of Splunk and Cb Response, create a file named
/opt/splunk/etc/apps/DA-ESS-CbResponse/local/DA-ESS-CbResponse_Settings.conf with the following contents:
[ssl_info] ssl_verify = false
This app requires a functional Carbon Black server, version 5.1 or above, and Splunk version 6.4 or above.
The app works with Cb Response clusters. Currently the Cb Response Unified View (Federated) server is not supported.
No additional hardware requirements are necessary for running this app above the standard requirements for both Carbon Black and Splunk.
For a video overview on how to install the Splunk app, including how to use the Cb Response Event Forwarder to forward alert and raw endpoint data into Splunk, watch the Splunk Integration Video on the Developer Network website.
Once the Cb Response app for Splunk is installed, then you must configure it to connect to your Cb Response server. This is done by using the Cb Response REST API. For more information on the Cb Response REST API and how to generate an API key, see the Cb Developer Network.
The Cb Response app for Splunk uses a Cb Response API key to:
binarysearchcustom commands by performing searches via the Cb Response API.
To configure the Cb Response app for Splunk to connect to your Cb Response server:
The Cb Response app for Splunk uses Splunk’s encrypted credential storage facility to store the API token for your Cb Response server, so the API key is stored securely on the Splunk server.
Cb Response Binary Status: Display information about attempts to execute banned processes, and information on new executables and shared libraries discovered by Cb Response.
Custom Commands: These commands can be used in your Splunk pipeline to use the power of Splunk's visualization and searching capability against Cb Response data, without ingesting all of the raw endpoint data into Splunk itself.
sensorsearch: Search for sensors in your Cb Response server by IP address or hostname
processsearch: Search for processes in your Cb Response server
binarysearch: Search for binaries in your Cb Response server
Adaptive Response Alert Actions: Splunk's new Adaptive Response capability now allows you to take action straight from the Splunk console. The Cb Response Splunk app currently includes three Adaptive Response Alert Actions that allow you to take action either as a result of automated Correlation Searches or on an ad-hoc basis through the Splunk Enterprise Security Incident Review page.
Isolate Sensor: isolate a given endpoint from the network. The endpoint to isolate can be specified by either a custom IP address field (shown below) or a sensor ID that’s provided in Carbon Black Response events plumbed through to Splunk. Network isolation is useful when malware is active on an endpoint, and you need to perform further investigative tasks (for example, retrieving files or killing processes through Carbon Black Live Response) remotely from your management console, but at the same time prevent any connections to active C2 or exfiltration of sensitive data.
Saved Searches: Included in this release are 58 saved searches to jump-start Threat Hunting from within the Splunk environment, thanks to community contributions from Mike Haag and others.
Workflow Actions: This app includes workflow actions to provide additional context from Cb Response on events originated from any product that pushes data into your Splunk server. These context menu items include:
Once the app is installed, a new icon appears on the left hand side of the Splunk front page with the Cb Response logo. Clicking the logo brings you to the default dashboard of the Cb Repsonse for Splunk app. Additional dashboards include an overview of endpoint status, including a breakdown of OS and sensor versions, as well as data on the latest new binaries seen in the environment.
The Process, Binary, and Sensor Search dashboards allow you to perform Cb searches directly from within Splunk. These dashboards use the respective custom commands to perform the search through the REST API without ingesting the data into Splunk. The results will be displayed within the same screen. Users can also use Carbon Black search features using the following custom search commands.
Example: processsearch query="process_name:cmd.exe"
Example: binarysearch query="md5:fd3cee0bbc4e55838e65911ff19ef6f5"
The Splunk app includes three custom commands to perform searches on the Carbon Black datastore from Splunk:
sensorsearch. These three commands also have corresponding views in the Carbon Black app: "Binary Search", "Process Search", and "Sensor Search".
To use the custom commands in your Splunk searches, first ensure that you’re using the Cb Response context by invoking the search through the Splunk > Search menu inside the Cb Response app. Then you can use any of the search commands by appending the Cb Response query as a “query” parameter. For example:
| sensorsearch query=”ip:172.22.5.141”
will send an API request to Cb Response to query for all sensors that have reported an IP address of 172.22.5.141. The result of this query can be piped through to other Splunk commands for aggregation, visualization, and correlation.
Several example reports and saved searches are included in this app release. A full list of these searches can be found by the Settings > Searches, reports, and alerts menu item from the Cb Response app. Note that none of these are run or scheduled by default, and some will not return any data unless certain data types (netconns, procstarts, etc) are forwarded via the Cb Event Forwarder into Splunk.
The Cb Response app for Splunk now integrates with Splunk’s Adaptive Response framework and provides three Adaptive Response Alert Actions:
Each of these Actions can be performed either on an ad-hoc basis on a notable event surfaced in Enterprise Security, or on an automated basis as part of a Splunk Correlation Search. In addition, the Isolate Endpoint and Ban MD5 Hash actions can be invoked based on search results from any Splunk search, as long as a field is present that provides an IP address (for Isolate Endpoint) or an MD5 hash (for Ban Hash). Currently, only events surfaced via the Cb Event Forwarder can be used as input for the Kill Process alert action.
Workflow Actions allow users to pivot into Carbon Black searches from standardized fields. The Cb Response app for Splunk includes Workflow Actions that provide you with context about events in any Splunk view, including Enterprise Security’s Notable Event table. To Perform a workflow action, drilldown into an event and click the 'Event Actions' button. From this menu the available workflow actions from this app will be displayed. A User can pivot directly from a field given that a workflow action is available for that field. The following Workflow Actions are included:
In addition, for events that were generated by Cb Response (forwarded into Splunk via the Cb Event Forwarder), additional Workflow Actions are enabled to provide deep links into the Cb Response console directly from the event in Splunk, where applicable. These deep links require the Cb Event Forwarder to be configured properly to generate these links at event generation time (see the Cb Event Forwarder configuration file for more details).
This app contains one Data Model, representing Cb alerts plus watchlist/feed hits.
This data model is accelerated by default.
None of the saved searches included in this app are scheduled to run by default.
For issues with this app, please post on the Carbon Black User eXchange.
When you contact Carbon Black Support with an issue, please provide the following:
The Cb Response App for Splunk writes its log files into the standard Splunk log directory. The following log files (all located under $SPLUNK_HOME/var/log/splunk) are used by the App:
Note : **SSL Validation for communication with the Cb Response server is now enabled by default.** This is required for Splunk Cloud certification. If you are using this app with your on-premise Cb Response server, **you will have to manually disable SSL validation in the app's .conf file**.
To disable SSL validation for on-premise installs of Splunk and Cb Response, create a file named /opt/splunk/etc/apps/DA-ESS-CbResponse/local/DA-ESS-CbResponse_Settings.conf with the following contents:
ssl_verify = false
This release includes several bug fixes:
* Improve logging in Adaptive Response actions
* Set default time period in default dashboards to previous 24 hours
* Remove saved searches that have errors
* Standardize on `cb` macro to search Cb Response data forwarded into the Splunk app
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.