VMware Carbon Black Cloud allows a Carbon Black Cloud administrator or analyst interact with the CBC product.
Access questions and answers specific to VMware Carbon Black Cloud at https://answers.splunk.com. Be sure to tag your question with the name of the app: Carbon Black Cloud Splunk App.
Support Email: cb-developer-network@vmware.com
Support Offered: Splunk Answers, Community Engagement, Email
View all API and integration offerings on the Developer Network along with reference documentation, video tutorials, and how-to guides.
Use the Developer Community Forum to discuss issues and get answers from other API developers in the Carbon Black Community.
Report bugs and change requests to Carbon Black Support.
If a support representative asks for it, a support diagnostic file can be generated. Use the following command to generate the file. Send the resulting file to support.
$SPLUNK_HOME/bin/splunk diag --collect=app:vmware_app_for_splunk
Download VMware Carbon Black Cloud at https://splunkbase.splunk.com/app/TBD.
Follow these steps to install the app in a single server instance of Splunk Enterprise:
Deploy as you would any single App, and restart Splunk.
Navigate to the Application Configuration view.
Update the base eventtypes for data ingest, and alert action results.
Configure a proxy if needed.
Configure tenant information. Refer to the VMware Carbon Black Cloud documentation on how to retrieve an API key available here.
Install TA-vmware_app_for_splunk on the indexing tier.
Install IA-vmware_app_for_splunk on the data ingest tier (Heavy Forwarder is preferred)
Install VMware Carbon Black Cloud Full app on the search tier.
The AWS add-on for Splunk is required for configuring S3 inputs. The add-on can be downloaded from Splunkbase. This add-on will be used to configure inputs for this Splunk app. Before configuring any inputs it is recommended to create separate queues and S3 buckets for alert and endpoint events. A Carbon Black Event Forwarder must also be configured in order to forward data to the S3 buckets and to efficiently take in data, see the Event Forwarder Configuration section below.
An event forwarder must be created before any input can be received. This forwarder will be responsible for routing data to an S3 bucket where it can then be taken as input by Splunk. The forwarder can be created via the Carbon Black Event Forwarder API. The API configuration guide will go over the following:
Authentication
Quick S3 bucket setup with Postman
Creating a forwarder
Editing a forwarder
Deleting a forwarder
Returning configured forwarders
The API configuration guide also provide methods for checking the health of a forwarder, and proper authentication methods. The forwarder will output data in a compressed single-event-per-line JSON (.JSONL) format, following this naming pattern.
org_key={org_key}/year={year}/month={month}/day={day}/hour={hour}/minute={minute}/second={second}/{uuid}.jsonl.gz
NOTE: alerts and events are forwarded separately.
Before configuring the AWS inputs make sure that the AWS add-on is properly installed in your Splunk environment. Details for installing the add-on can be found on the Splunk documentation site at Splunk documentation for the Splunk AWS add-on https://docs.splunk.com/Documentation/AddOns/released/AWS/Distributeddeployment . This documentation provides helpful information regarding the app and configuration settings.
There are two methods to configure inputs, by utilizing generic S3 or SQS queues. To prevent event duplication, pick one method of configuration. See Configuring input in AWS add-on to pull S3 using generic S3 or Configuring input in AWS add-on to pull S3 using SQS S3 below.
Set up the account on the Configurations page in the AWS Add-on
Set up input on the Inputs page in the AWS Add-on
Create new input
Custom Data Type
Generic S3
Name: specify a name for this input
AWS Account: select account created in step 1
Assume Role: leave default
S3 Bucket: select S3 bucket that contains events
S3 Key Prefix:
Set to alerts to pull CB_ANALYTICS or WATCHLIST events
Set to events to pull events that are type endpoint.event.*
Start Date/Time: specify the first date you want to pull events from
End Date/Time: leave default unless you want to pull from a time range
Source Type:
Set to vmware:cbc:s3:alerts for S3 Prefix=alerts
Index: specify index where events should be written
Advanced Settings: can set polling interval here
Save input
Set up the account on the Configuration page in the AWS Add-on
Set up the input on the Inputs page in the AWS Add-on
Create new input
Custom Data Type
SQS-based S3
Name: specify a name that should be used for this input
AWS Account: select account created in step 1
Assume Role: leave default
AWS Region: select US East (N. Virginia)
SQS Queue Name: select queue that you created in AWS
SQS Batch Size: leave 10
S3 File Decoder: leave at Custom Logs
Source Type:
Set to vmware:cbc:s3:alerts for alerts queue
Set to vmware:cbc:s3:events for events queue
Index: specify index where events should be written
NOTE: If you need to reload older events and are using SQS to pull buckets the events will not be available in the queue once they are retrieved. To view historical events or reload data you must use the generic S3 option. Otherwise copy the events to another prefix to copy it to the queue.
CBC Alerts Overview and CBC Alerts Detail dashboards
You need to either have an input configured to pull via the CBC Event Forwarder using S3 or via the CBC API (using the Administration/Application Configuration page, see documentation below on configuring the application inputs via this method)
The CBC Alerts Detail dashboard has the ability to click on a row in the alert details panel to view the associated endpoint events. In order for this panel to be populated you need an input to pull endpoint events. To pull these events you should use the CBC Event Forwarder and S3.
CBC Endpoint Event Overview
VMware Carbon Black Cloud is configured from the Application Configuration menu option under the Administration menu.
VMware Base Configuration
The options configured on this page will update settings in local/eventtypes.conf.
VMware Base Index: specify where the events from CBC will be searched.
VMware Action Index: specify where events generated from alert actions will be stored and/or searched.
Data model acceleration: enable acceleration for the VMWare_CBC data model
Tenants
Cloud organizations to be ingested. - Please review the documentation for setting up Carbon Black Cloud API Access keys:
Name: The generic name this input should be named. Disabled: This is a checkbox if the input is disabled. Severity: This is the minimum severity that will be pulled from the API Type: The Types of alerts to pull from the API. Tenant: The Tenant API Key to use for the API authorization. Proxy: The proxy configuration, if needed. Lookback (days): The number of historical days to pull from the API. Index: The Splunk Index in which to store the data Interval: The frequency (in seconds) that the API should poll for data. Range: 60-86400 Query: The Carbon Black Cloud compatible query to limit the alert results.Alert Actions
All available alert actions will be displayed on this page.
Credential type: specifies the type of credential that should be used for this alert action. This cannot be changed.
Tenant: specify the tenants that should be used for this alert action. If using multi-tenancy you need to specify all applicable tenants.
NOTE: Do not modify any configurations in ``/default``. Doing so will cause your changes to be overwritten when the app is upgraded. Create the appropriate configuration files in ``/local`` and copy the stanzas you need to change and make your changes in these configuration files.
VMware Carbon Black Cloud includes a datamodel: VMWare_CBC . The VMWare_CBC data model is a clone of the Alert and Endpoint data models from the Splunk CIM. This data model is not accelerated by default, however accelerating this data model will improve dashboard performance. The data model acceleration setting can be changed in the app under Administration/Application Configuration. Check the setting Acceleration Enabled on the main page.
Make sure that the event types and macros for the app are configured properly prior to acceleration.
VMware Carbon Black Cloud includes the following macros that control dashboard searches.
vmware_tstats
tstats prestats=false local=false summariesonly=`VMWare_CBC_summariesonly` `.vmware_tstats_pre
vmware_tstats with the exception that prestats=true. To use this macro in dashboards replace vmware_tstats in all applicable dashboards.VMWare_CBC_summariesonly
vmware_tstats and vmware_tstats_pre macros. By default summariesonly=false. Enabling summariesonly will improve the perfomrance of searches on the dashboards in this app.To enable summariesonly create $SPLUNK_HOME$/etc/apps/vmware_app_for_splunk/local/macros.conf and add this stanza:
[VMWare_CBC_summaries_only] definition = true
VMware Carbon Black Cloud includes the following dashboards.
CBC Alerts Overview
CBC Endpoint Event Overview
CBC Alert Details
This dashboard contains detailed information about the alerts received from the CBC appliance. By clicking on a row in the alert details you can get an expansion panel that displays endpoint event details. You must have endpoint events for any endpoint events to display. From the endpoint event details panel you can click on the following fields to open a new window with the actual raw endpoint events:
device_id
device_name
device_external_ip
process
parent_cmdline
process_hash
parent_hash
process_guid
Application Health Overview (under the Administration menu option)
VMware Carbon Black Cloud includes the following saved searches (default/savedsearches.conf).
vmware_example_for_alerting VMware Carbon Black Cloud includes the following health checks in the Monitoring Console health check list(default/checklist.conf).
Initial Release
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.