Author | VMware and Aplura, LLC. |
App Version | 3.0.4 |
App Build | 6 |
Vendor Products | VMware Carbon Black EDR |
Has index-time operations | false |
Creates an index | false |
Implements summarization | None |
VMware Carbon Black EDR allows a Carbon Black EDR administrator or analyst to interact with the CB EDR product.
This software is licensed under the MIT license:
The MIT License (MIT) Copyright (c) 2021 VMware, Inc. and Aplura, LLC. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the Software), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED AS IS, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
For more information on these scripts, and what they do, please refer to the Initial Application Configuration
section of this document.
This app includes the following scripts:
vmware-edr-ban-hash.py | This is the Alert Action to ban a Hash in VMware Carbon Black EDR |
vmware-edr-isolate-device.py | This is the Alert Action to Isolate a sensor in VMware Carbon Black EDR |
vmware-edr-kill-process.py | This is the Alert Action to Kill a process on a sensor via VMware Carbon Black EDR |
vmware-edr-unisolate-device.py | This is the Alert Action to UnIsolate a sensor in VMware Carbon Black EDR |
vmware_cmd_binarysearch.py | This is the custom command to search for binaries in VMware Carbon Black EDR |
vmware_cmd_processsearch.py | This is the custom command to search for processes in VMware Carbon Black EDR |
vmware_cmd_sensorsearch.py | This is the custom command to search for sensors in VMware Carbon Black EDR |
vmware_edr_client.py | This is the core client configurations for interactions via Splunk and VMware Carbon Black EDR |
Version 3.0.4 of VMware Carbon Black EDR has the following known issues:
Version 3.0.4 of VMware Carbon Black EDR is compatible with:
Splunk Enterprise versions | 8.0, 8.1, 8.2 |
Platforms | Splunk Enterprise, Splunk Cloud |
Access questions and answers specific to VMware Carbon Black EDR at https://answers.splunk.com . Be sure to tag your question with the name of the app: Carbon Black EDR Splunk App.
Support Offered: Splunk Answers, Community Engagement, VMware Carbon Black Support
View all API and integration offerings on the Developer Network along with reference documentation, video tutorials, and how-to guides.
Use the Developer Community Forum to discuss issues and get answers from other API developers in the Carbon Black Community.
Report bugs and change requests to Carbon Black Support.
If a support representative asks for it, a support diagnostic file can be generated. Use the following command to generate the file. Send the resulting file to support.
$SPLUNK_HOME/bin/splunk diag --collect=app:vmware_cb_edr_app_for_splunk
index=_internal source=/opt/splunk/var/log/splunk/vmware_cb_edr_app_for_splunk/*
index=main sourcetype=vmware:cb:edr:*:error
Migration specifics for moving from v2.2.0
of the DA-ESS-cbresponse
app to v3.0.0
of the vmware_cb_edr_app_for_splunk
are below. Please make sure to check Splunk version compatibility prior to migration.
Install v3.0.0 of the vmware_cb_edr_app_for_splunk
from Splunkbase on the Search Tier of your environment.
Install v3.0.0 of the TA-vmware_cb_edr_app_for_splunk
from Splunkbase on the Indexing Tier of your environment.
Update/Create the Splunk HEC input to use the new sourcetype vmware:cb:edr:json
Install v3.0.0 of the vmware_cb_edr_app_for_splunk
from Splunkbase on the Search Tier of your environment.
Install v3.0.0 of the TA-vmware_cb_edr_app_for_splunk
from Splunkbase on the Indexing Tier of your environment.
Update/Create the AWS S3 input to use the new sourcetype vmware:cb:edr:json
event_bridge_output.json
Install v3.0.0 of the vmware_cb_edr_app_for_splunk
from Splunkbase on the Search Tier of your environment.
Install v3.0.0 of the TA-vmware_cb_edr_app_for_splunk
from Splunkbase on the Indexing Tier of your environment.
Update the sourcetype setting of inputs.conf
of the Universal Forwarder to vmware:cb:edr:json
If the old data using the bit9:carbonblack:json
sourcetype is to be integrated into the new apps, please update the following eventtypes for your environment:
vmware_cb_edr
Update this to have the older sourcetype
eventtype=vmware_cb_edr_base_index sourcetype IN (vmware:cb:edr:json, bit9:carbonblack:json)
Because this App runs on Splunk Enterprise, all of the Splunk Enterprise system requirements apply.
Download VMware Carbon Black EDR at https://splunkbase.splunk.com/app/5624/.
Note: Installing the VMware EDR TA or IA on the same node as the App is an unsupported configuration that may result in instability or errors. If you are seeing the error message More than 1 VMware EDR App detected, refer to the recommendations below for which Apps/Add-ons should be installed on which node and fully delete (not just disable) extra copies of VMware EDR apps/add-ons from nodes where they are not needed. Then restart Splunk on that node.
Single Instance (8.0+)
Single Instance + Heavy Forwarder (8.0+)
Single Instance:
Heavy Forwarder:
Distributed deployment (8.0+)
Heavy Forwarder:
Search Head:
Indexer:
Splunk Cloud
Deploy the Apps and/or Add-ons per the Deployment Guide above.
Create the index(s) for your data (if required)
One index for the Carbon Black EDR data
One index for the results of the Alert Actions
Navigate to the Administration > Application Configuration menu, VMware EDR Base Configuration tab.
Update the index names to those created above
Click the Save Application Configuration button to enable the App.
Configure a proxy if needed from the Proxies tab
The Administration > Application Health Overview menu shows errors during processing and can be very useful during troubleshooting
The Administration > Application Usage menu provides insights into which Splunk users are using the app
For built-in data inputs, alert actions, and commands, create API Keys with the correct permissions in the Carbon Black EDR and then configure Splunk to use those keys.
To properly onboard the VMware CB EDR data, please follow the documentation. Once the data is configured via HEC, AWS S3, or file with UF, refer to this documentation to continue configuration.
The AWS add-on for Splunk is required for configuring S3 inputs. The add-on can be downloaded from Splunkbase. This add-on will be used to configure inputs for this Splunk app. Before configuring any inputs, you should create separate queues and S3 buckets for alert and endpoint events. A Carbon Black Event Forwarder must also be configured in order to forward data to the S3 buckets and to efficiently take in data, see the Event Forwarder Configuration section below.
An event forwarder must be created before any input can be received. This forwarder will be responsible for routing data to an S3 bucket where it can then be taken as input by Splunk. Configure your forwarder with filters to limit the amount of event data forwarded to Splunk in order to reduce costs. The forwarder installation guide for VMware CB EDR is located at Developer Network. It is recommended to follow the guide there, and then proceed with the installation and configuration of Splunk.
More details can be found at the CB Event Forwarder on Github.
Before configuring the AWS inputs, make sure that the AWS add-on is properly installed in your Splunk environment. Get details for installing the AWS add-on from the Splunk documentation site. This documentation provides helpful information regarding the app and configuration settings.
The recommended approach to ingest Carbon Black EDR Event Forwarder data into Splunk is the SQS-based S3 data input.
Set up the account on the Configuration page in the AWS Add-on
Set up the input on the Inputs page in the AWS Add-on
Create new input
Custom Data Type
SQS-based S3
Name: specify a name that should be used for this input
AWS Account: select account created in step 1
Assume Role: Depends on environment permissions
AWS Region: Region of the selected queue
SQS Queue Name: select queue that you created in AWS
SQS Batch Size: leave 10
S3 File Decoder: leave at Custom Logs
Source Type:
Index: specify index where events should be written
This should be set to the same index as configured within VMware Carbon Black EDR base configurations
Advanced Settings: can set polling interval here
NOTE: If you need to reload older events and are using SQS to pull buckets, the events will not be available in the queue once they are retrieved. To view historical events or reload data, use the generic S3 option or copy the events to another prefix to copy it to the queue. |
VMware Carbon Black EDR is configured from the Application Configuration
menu option under the Administration
menu.
VMware Base Configuration
The options configured on this page will update settings in local/eventtypes.conf
.
VMware CB EDR Base Index: specify where the events from EDR will be searched. Required on the searching tier.
VMware CB EDR Action Index: specify where events generated from alert actions will be stored and/or searched. Required on the searching tier. Should be a single index. index=main
API Token Configuration
Alert Actions
All available alert actions will be displayed on this page.
See the Alert Actions section below for configuration details and considerations
Custom Commands
VMware Carbon Black EDR includes the following dashboards.
Application Health Overview (under the Administration menu option)
Binary status
Endpoint status
Network Overview
Process Timeline
System Check
Binary Search
Process Search
Sensor Search
Alert Configuration Notes: The global configurations referenced below are configured under Administration/Application Configuration under the Alert Actions tab.
ALL search results that are being passed to the alert actions are required to have a host field that corresponds to the correct Organization Name as configured in the API Configuration Tab.
If you use multi-tenancy, include the host field with the corresponding value in the Splunk search query. This value is the Organization Name found in the API Token Configuration.
By default when a new alert is created in Splunk the parameter action.*.param.api_config = \<api_config guid> will be added to the savedsearches.conf file in the VMware Carbon Black EDR local directory. If you need to change credentials used on an alert action in the Application Configuration dashboard then all previously created alerts that were using the old credential needs to be changed. After updating credentials, delete the above parameter from the savedsearches.conf file for the appropriate saved search and restart Splunk.
VMware Carbon Black EDR includes the following alert actions:
Kill Process
Remotely kill a process on the devices specified in the search
Search Configuration
Device ID Field: the field name that contains the device id to list processes.
Process Field: the field name that contains the process name to kill.
Isolate Sensor
Isolating the specified device(s) prevents suspicious activity and malware from affecting the rest of your network. The device(s) will only be able to communicate with Carbon Black EDR until unisolated
Search Configuration
Un-isolate Sensor
Remove the specified device from the isolated state, allowing it to communicate normally on the network.
Search Configuration
Ban Hash
Add the MD5 in the Splunk result set into VMware CB EDR banned hashes.
Search Configuration
VMware Carbon Black EDR includes the following custom commands (default/commands.conf
).
edrbinarysearch
Searches EDR for binaries.
Example: |edrbinarysearch query="md5:fd3cee0bbc4e55838e65911ff19ef6f5"
edrsensorsearch
Searches EDR for sensors.
Example: |edrsensorsearch query="ip:172.22.5.141"
edrprocesssearch
Searches EDR for processes.
Example: edrprocesssearch query="process_name:cmd.exe"
Cloud compatibility updates.
Updated for compatibility with SplunkJS upgrades.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.