icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading VMware Carbon Black Cloud
SHA256 checksum (vmware-carbon-black-cloud_100.tgz) 2be0fd86c90870dbef365cb13d85be53dbac248f2520085e5344eadf5784110d
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

VMware Carbon Black Cloud

Splunk AppInspect Passed
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
The VMware Carbon Black Cloud App for Splunk is a single application to integrate your endpoint and workload security features and telemetry directly into Splunk dashboards, workflows and alert streams.

This application connects with any Carbon Black Cloud offering and replaces the existing product-specific Carbon Black apps for Splunk. This app provides a unified solution to integrate Carbon Black Cloud Endpoint and Workload offerings with Splunk Enterprise, Splunk Cloud, and Splunk Enterprise Security (ES). Out-of-the-box, this app provides holistic visibility into the state of your endpoints and workloads through customizable dashboards and alert feeds in Splunk.

For distributed Splunk environments, please use the Input Add-on (https://splunkbase.splunk.com/app/5333/) and the Technology Add-on (https://splunkbase.splunk.com/app/5334/).

VMware Carbon Black Cloud Documentation


About VMware Carbon Black Cloud

VMware Carbon Black Cloud allows a Carbon Black Cloud administrator or analyst interact with the CBC product.

Support and resources

Questions and answers

Access questions and answers specific to VMware Carbon Black Cloud at https://answers.splunk.com. Be sure to tag your question with the name of the app: Carbon Black Cloud Splunk App.


Diagnostics Generation

If a support representative asks for it, a support diagnostic file can be generated. Use the following command to generate the file. Send the resulting file to support.

$SPLUNK_HOME/bin/splunk diag --collect=app:vmware_app_for_splunk

Installation and Configuration


Download VMware Carbon Black Cloud at https://splunkbase.splunk.com/app/TBD.

Installation steps

Deploy to single server instance

Follow these steps to install the app in a single server instance of Splunk Enterprise:

  1. Deploy as you would any single App, and restart Splunk.

  2. Navigate to the Application Configuration view.

  3. Update the base eventtypes for data ingest, and alert action results.

  4. Configure a proxy if needed.

  5. Configure tenant information. Refer to the VMware Carbon Black Cloud documentation on how to retrieve an API key available here.

Deploy to Splunk Cloud

  1. Have your Splunk Cloud Support handle this installation.

Deploy to a Distributed Environment

  1. Install TA-vmware_app_for_splunk on the indexing tier.

    • Install IA-vmware_app_for_splunk on the data ingest tier (Heavy Forwarder is preferred)

      1. Configure the inputs for alerts on this tier. If API input is not needed, this tier is not required.
    • Install VMware Carbon Black Cloud Full app on the search tier.

      1. Configure the Alert Actions, base event types, and optionally, the Data Model acceleration.

Configuring Event Forwarder & S3 Inputs

Requirements and recommendations

The AWS add-on for Splunk is required for configuring S3 inputs. The add-on can be downloaded from Splunkbase. This add-on will be used to configure inputs for this Splunk app. Before configuring any inputs it is recommended to create separate queues and S3 buckets for alert and endpoint events. A Carbon Black Event Forwarder must also be configured in order to forward data to the S3 buckets and to efficiently take in data, see the Event Forwarder Configuration section below.

Event Forwarder Configuration

An event forwarder must be created before any input can be received. This forwarder will be responsible for routing data to an S3 bucket where it can then be taken as input by Splunk. The forwarder can be created via the Carbon Black Event Forwarder API. The API configuration guide will go over the following:

  • Authentication

  • Quick S3 bucket setup with Postman

  • Creating a forwarder

  • Editing a forwarder

  • Deleting a forwarder

  • Returning configured forwarders

The API configuration guide also provide methods for checking the health of a forwarder, and proper authentication methods. The forwarder will output data in a compressed single-event-per-line JSON (.JSONL) format, following this naming pattern.


NOTE: alerts and events are forwarded separately.

Configure input in AWS Add-On

Before configuring the AWS inputs make sure that the AWS add-on is properly installed in your Splunk environment. Details for installing the add-on can be found on the Splunk documentation site at Splunk documentation for the Splunk AWS add-on https://docs.splunk.com/Documentation/AddOns/released/AWS/Distributeddeployment . This documentation provides helpful information regarding the app and configuration settings.

There are two methods to configure inputs, by utilizing generic S3 or SQS queues. To prevent event duplication, pick one method of configuration. See Configuring input in AWS add-on to pull S3 using generic S3 or Configuring input in AWS add-on to pull S3 using SQS S3 below.

Configuring input in AWS add-on to pull S3 using generic S3

  • Set up the account on the Configurations page in the AWS Add-on

    • Set up input on the Inputs page in the AWS Add-on

        • Create new input

          • Custom Data Type

            • Generic S3

              • Name: specify a name for this input

              • AWS Account: select account created in step 1

              • Assume Role: leave default

              • S3 Bucket: select S3 bucket that contains events

                • S3 Key Prefix:

                  • Set to alerts to pull CB_ANALYTICS or WATCHLIST events

                  • Set to events to pull events that are type endpoint.event.*

              • Start Date/Time: specify the first date you want to pull events from

              • End Date/Time: leave default unless you want to pull from a time range

              • Source Type:

                • Set to vmware:cbc:s3:alerts for S3 Prefix=alerts

                  • Set to vmware:cbc:s3:events for S3 Prefix=events
              • Index: specify index where events should be written

              • Advanced Settings: can set polling interval here

      • Save input

Configuring input in AWS add-on to pull S3 using SQS S3

  • Set up the account on the Configuration page in the AWS Add-on

    • Set up the input on the Inputs page in the AWS Add-on

      • Create new input

      • Custom Data Type

      • SQS-based S3

        • Name: specify a name that should be used for this input

          • AWS Account: select account created in step 1

          • Assume Role: leave default

          • AWS Region: select US East (N. Virginia)

          • SQS Queue Name: select queue that you created in AWS

            • SQS Batch Size: leave 10

              • S3 File Decoder: leave at Custom Logs

                • Source Type:

                  • Set to vmware:cbc:s3:alerts for alerts queue

                  • Set to vmware:cbc:s3:events for events queue

            • Index: specify index where events should be written

              • Advanced Settings: can set polling interval here

NOTE: If you need to reload older events and are using SQS to pull buckets the events will not be available in the queue once they are retrieved. To view historical events or reload data you must use the generic S3 option. Otherwise copy the events to another prefix to copy it to the queue.

Inputs required for this application to work properly

    • CBC Alerts Overview and CBC Alerts Detail dashboards

      • You need to either have an input configured to pull via the CBC Event Forwarder using S3 or via the CBC API (using the Administration/Application Configuration page, see documentation below on configuring the application inputs via this method)

      • The CBC Alerts Detail dashboard has the ability to click on a row in the alert details panel to view the associated endpoint events. In order for this panel to be populated you need an input to pull endpoint events. To pull these events you should use the CBC Event Forwarder and S3.

    • CBC Endpoint Event Overview

      • You need to configure an input using the CBC Event Forwarder and S3. This input should pull endpoint events.

User Guide

Initial Application Configuration

VMware Carbon Black Cloud is configured from the Application Configuration menu option under the Administration menu.

    • VMware Base Configuration

      • The options configured on this page will update settings in local/eventtypes.conf.

      • VMware Base Index: specify where the events from CBC will be searched.

      • VMware Action Index: specify where events generated from alert actions will be stored and/or searched.

      • Data model acceleration: enable acceleration for the VMWare_CBC data model

    • Tenants

      • Use this tab to configure access to Carbon Black Cloud. The application supports multiple tenants to enable data from multiple Carbon Black

      Cloud organizations to be ingested. - Please review the documentation for setting up Carbon Black Cloud API Access keys:

    • VMware Alert Inputs
      - Use this page to configure inputs that will pull alerts using the Carbon Black Cloud APIs. If you configure alert input on this page do not also configure alerts using AWS. Doing so may result in duplicate events.
      - Name: The generic name this input should be named.
      - Disabled: This is a checkbox if the input is disabled.
      - Severity: This is the minimum severity that will be pulled from the API
      - Type: The Types of alerts to pull from the API.
      - Tenant: The Tenant API Key to use for the API authorization.
      - Proxy: The proxy configuration, if needed.
      - Lookback (days): The number of historical days to pull from the API.
      - Index: The Splunk Index in which to store the data
      - Interval: The frequency (in seconds) that the API should poll for data. Range: 60-86400
      - Query: The Carbon Black Cloud compatible query to limit the alert results.
    • Alert Actions

        • All available alert actions will be displayed on this page.

          • Credential type: specifies the type of credential that should be used for this alert action. This cannot be changed.

          • Tenant: specify the tenants that should be used for this alert action. If using multi-tenancy you need to specify all applicable tenants.
            NOTE: Do not modify any configurations in ``/default``. Doing so will cause your changes to be overwritten when the app is upgraded. Create the appropriate configuration files in ``/local`` and copy the stanzas you need to change and make your changes in these configuration files.

Included Data Model

VMware Carbon Black Cloud includes a datamodel: VMWare_CBC . The VMWare_CBC data model is a clone of the Alert and Endpoint data models from the Splunk CIM. This data model is not accelerated by default, however accelerating this data model will improve dashboard performance. The data model acceleration setting can be changed in the app under Administration/Application Configuration. Check the setting Acceleration Enabled on the main page.

Make sure that the event types and macros for the app are configured properly prior to acceleration.


VMware Carbon Black Cloud includes the following macros that control dashboard searches.

    • vmware_tstats

      • This macro is the default macro used in all searches on this applications dashboards. By default it is configured as tstats prestats=false local=false summariesonly=`VMWare_CBC_summariesonly` `.
    • vmware_tstats_pre

      • This macro is the same as vmware_tstats with the exception that prestats=true. To use this macro in dashboards replace vmware_tstats in all applicable dashboards.
    • VMWare_CBC_summariesonly

      • This macro controls if summariesonly should be set to true in the vmware_tstats and vmware_tstats_pre macros. By default summariesonly=false. Enabling summariesonly will improve the perfomrance of searches on the dashboards in this app.

To enable summariesonly create $SPLUNK_HOME$/etc/apps/vmware_app_for_splunk/local/macros.conf and add this stanza:
[VMWare_CBC_summaries_only] definition = true


VMware Carbon Black Cloud includes the following dashboards.

    • CBC Alerts Overview

      • This dashboard is an overview of all alerts from the CBC appliance.
    • CBC Endpoint Event Overview

      • This dashboard is an overview of all endpoint events from the CBC appliance.
    • CBC Alert Details

        • This dashboard contains detailed information about the alerts received from the CBC appliance. By clicking on a row in the alert details you can get an expansion panel that displays endpoint event details. You must have endpoint events for any endpoint events to display. From the endpoint event details panel you can click on the following fields to open a new window with the actual raw endpoint events:

          • device_id

          • device_name

          • device_external_ip

          • process

          • parent_cmdline

          • process_hash

          • parent_hash

          • process_guid

    • Application Health Overview (under the Administration menu option)

      • Use this page to get health and status information about any alerts, events, or API errors in the Carbon Black Cloud. View total_failures, messages, and severity level for each instance.

Saved Searches

VMware Carbon Black Cloud includes the following saved searches (default/savedsearches.conf).

    • vmware_example_for_alerting
      - Designed to show users how to create alerts using the app. The saved search is disabled by default in the app and can be enabled from the saved searches settings page.
      - This saved search will create a report whenever there is a new alert. The user can then use any of the alert actions stated above, or custom ones within their environment.

Monitoring Console Health Checks

VMware Carbon Black Cloud includes the following health checks in the Monitoring Console health check list(default/checklist.conf).

    • VMware CBC API Errors
      - Check to see if there are any CBC errors
    • VMware CBC Alerts Present
      - Check to see if there are any CBC Alerts present in the indexes
    • VMware CBC Events Present
      - Check to see if there are any CBC Events present in the indexes


  1. Summary Indexing: No
  2. Data Model Acceleration: Yes, if Enabled
  3. Report Acceleration: No

Release Notes

Version 1.0.0
Nov. 18, 2020

Initial Release


Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2020 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.