icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading VMware Carbon Black EDR On-Prem
SHA256 checksum (vmware-carbon-black-edr-on-prem_302.tgz) f98e8495aa470eecec75a513eff9b182199e1d7807e438ca35a57b2d80827e45 SHA256 checksum (vmware-carbon-black-edr-on-prem_301.tgz) 14d5ecfa97253c0b66a4d4b44cec97ea3243520bf76b08be70ed3754a0f1a7b4 SHA256 checksum (vmware-carbon-black-edr-on-prem_300.tgz) 04054afd61fef6c4dd96894bee06e3dbe4d65a830a1234ac0d9eb81aaba404d1
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate


VMware Carbon Black EDR On-Prem

Splunk Cloud
The VMware Carbon Black EDR On-Prem for Splunk is a single application to integrate your EDR security features and telemetry directly into Splunk dashboards, workflows and alert streams.

VMware Carbon Black EDR Documentation


About VMware Carbon Black EDR

Author VMware and Aplura, LLC.
App Version 3.0.2
App Build 10
Vendor Products VMware Carbon Black EDR
Has index-time operations false
Creates an index false
Implements summarization None

VMware Carbon Black EDR allows a Carbon Black EDR administrator or analyst to interact with the CB EDR product.


This software is licensed under the MIT license:
The MIT License (MIT) Copyright (c) 2021 VMware, Inc. and Aplura, LLC. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the Software), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED AS IS, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Scripts and binaries

For more information on these scripts, and what they do, please refer to the Initial Application Configuration section of this document.

This app includes the following scripts:

vmware-edr-ban-hash.py This is the Alert Action to ban a Hash in VMware Carbon Black EDR
vmware-edr-isolate-device.py This is the Alert Action to Isolate a sensor in VMware Carbon Black EDR
vmware-edr-kill-process.py This is the Alert Action to Kill a process on a sensor via VMware Carbon Black EDR
vmware-edr-unisolate-device.py This is the Alert Action to UnIsolate a sensor in VMware Carbon Black EDR
vmware_cmd_binarysearch.py This is the custom command to search for binaries in VMware Carbon Black EDR
vmware_cmd_processsearch.py This is the custom command to search for processes in VMware Carbon Black EDR
vmware_cmd_sensorsearch.py This is the custom command to search for sensors in VMware Carbon Black EDR
vmware_edr_client.py This is the core client configurations for interactions via Splunk and VMware Carbon Black EDR

Release notes

Version 3.0.2 of VMware Carbon Black EDR has the following known issues:

  • None

Version 3.0.2

  • Updated SimpleXML to v1.1 and confirmed jQuery 3.5

Version 3.0.1

  • Alert Actions displayed both CBC and EDR actions. This has been fixed.

Version 3.0.0

  • Initial Release

    • Features

        • Alert Actions

          • Ban Hash

          • Isolate Sensor

          • Unisolate Sensor

          • Kill Process

        • Custom Commands

          • Binary Search

          • Process Search

          • Sensor Search

        • Support for CIM

          • Alerts

          • Endpoint

          • Intrusion Detection

          • Network Traffic

About this release

Version 3.0.2 of VMware Carbon Black EDR is compatible with:

Splunk Enterprise versions 8.0, 8.1, 8.2
Platforms Splunk Enterprise, Splunk Cloud

Support and resources

Questions and answers

Access questions and answers specific to VMware Carbon Black EDR at https://answers.splunk.com . Be sure to tag your question with the name of the app: Carbon Black EDR Splunk App.


  • Support Offered: Splunk Answers, Community Engagement, VMware Carbon Black Support

  • View all API and integration offerings on the Developer Network along with reference documentation, video tutorials, and how-to guides.

  • Use the Developer Community Forum to discuss issues and get answers from other API developers in the Carbon Black Community.

  • Report bugs and change requests to Carbon Black Support.

Diagnostics Generation

If a support representative asks for it, a support diagnostic file can be generated. Use the following command to generate the file. Send the resulting file to support.

$SPLUNK_HOME/bin/splunk diag --collect=app:vmware_cb_edr_app_for_splunk


Internal Splunk Logs

index=_internal source=/opt/splunk/var/log/splunk/vmware_cb_edr_app_for_splunk/*

Indexed Error Logs

index=main sourcetype=vmware:cb:edr:*:error

Migration from v2.2.0 to v3.0.0

Migration specifics for moving from v2.2.0 of the DA-ESS-cbresponse app to v3.0.0 of the vmware_cb_edr_app_for_splunk are below. Please make sure to check Splunk version compatibility prior to migration.

Migration while using HEC inputs

  1. Install v3.0.0 of the vmware_cb_edr_app_for_splunk from Splunkbase on the Search Tier of your environment.

  2. Install v3.0.0 of the TA-vmware_cb_edr_app_for_splunk from Splunkbase on the Indexing Tier of your environment.

  3. Update/Create the Splunk HEC input to use the new sourcetype vmware:cb:edr:json

Migration while using AWS S3 inputs

  1. Install v3.0.0 of the vmware_cb_edr_app_for_splunk from Splunkbase on the Search Tier of your environment.

  2. Install v3.0.0 of the TA-vmware_cb_edr_app_for_splunk from Splunkbase on the Indexing Tier of your environment.

  3. Update/Create the AWS S3 input to use the new sourcetype vmware:cb:edr:json

Migration while using event_bridge_output.json

  1. Install v3.0.0 of the vmware_cb_edr_app_for_splunk from Splunkbase on the Search Tier of your environment.

  2. Install v3.0.0 of the TA-vmware_cb_edr_app_for_splunk from Splunkbase on the Indexing Tier of your environment.

  3. Update the sourcetype setting of inputs.conf of the Universal Forwarder to vmware:cb:edr:json

Update Event types

If the old data using the bit9:carbonblack:json sourcetype is to be integrated into the new apps, please update the following eventtypes for your environment:

    • vmware_cb_edr

      • Update this to have the older sourcetype

      • eventtype=vmware_cb_edr_base_index sourcetype IN (vmware:cb:edr:json, bit9:carbonblack:json)

Changes from v2.2.0 to v3.0.0

  1. Removed the datamodel CbResponse

    • Commands

      1. Renamed binarysearch to edrbinarysearch

      2. Renamed processsearch to edrprocesssearch

      3. Renamed sensorsearch to edrsensorsearch

    • Alert Actions (stanza ids)

      1. Renamed banhash to vmware-edr-ban-hash

      2. Renamed isolatesensor to vmware-edr-isolate-device

      3. Renamed killprocess to vmware-edr-kill-process

      4. Added vmware-edr-unisolate-device

    • Workflow Actions (stanza ids)

      1. Renamed sensor_info_by_ip to vmware_edr_sensor_info_by_ip

      2. Renamed md5binarysearch to vmware_md5binarysearch

      3. Renamed ipsearch to vmware_ipsearch

      4. Renamed md5processsearch to vmware_md5processsearch

      5. Renamed deeplinkprocess to vmware_edr_deeplink_process

      6. Renamed deeplinksensor to vmware_edr_deeplink_sensor

      7. Renamed VMware Carbon Black EDR Deep Link to $link_target$ to vmware_edr_deeplink_target

      8. Renamed VMware Carbon Black EDR Deep Link to $link_parent$ to vmware_edr_deeplink_parent

      9. Renamed VMware Carbon Black EDR Deep Link to $link_child$ to vmware_edr_deeplink_child

      10. Renamed VMware Carbon Black EDR Process Search from NetConn to vmware_search_process_netconn

      11. Renamed VMware Carbon Black EDR Process Search on Filename to vmware_search_process_file_name

      12. Renamed VMware Carbon Black EDR Process Search on Domain to vmware_search_process_domain

      13. Added vmware_edr_deeplink_md5

    • Saved Searches

      1. Disabled by default. Enable those that are needed.
    • Dashboards

      1. Removed setup_page.xml and Setup.xml

      2. Added new configuration page App_Config.xml

      3. Renamed and updated various dashboards for branding/efficiency.

Installation and Configuration

Software requirements

Splunk Enterprise system requirements

Because this App runs on Splunk Enterprise, all of the Splunk Enterprise system requirements apply.


Download VMware Carbon Black EDR at https://splunkbase.splunk.com/app/5624/.

Deployment Guide

Note: Installing the VMware EDR TA or IA on the same node as the App is an unsupported configuration that may result in instability or errors. If you are seeing the error message More than 1 VMware EDR App detected, refer to the recommendations below for which Apps/Add-ons should be installed on which node and fully delete (not just disable) extra copies of VMware EDR apps/add-ons from nodes where they are not needed. Then restart Splunk on that node.

    • Single Instance (8.0+)

      • Only the VMware Carbon Black EDR App
    • Single Instance + Heavy Forwarder (8.0+)

        • Single Instance:

          • VMware Carbon Black EDR App
        • Heavy Forwarder:

          • VMware Carbon Black EDR App
    • Distributed deployment (8.0+)

        • Heavy Forwarder:

          • VMware Carbon Black EDR App
        • Search Head:

          • VMware Carbon Black EDR App
        • Indexer:

          • TA-vmware_cb_edr_app_for_splunk
    • Splunk Cloud

      • Contact Splunk Cloud Support handle this installation.


  1. Deploy the Apps and/or Add-ons per the Deployment Guide above.

  2. Create the index(s) for your data (if required)

    1. One index for the Carbon Black EDR data

      • One index for the results of the Alert Actions

        1. This can be the same index as the EDR data
  3. Navigate to the Administration > Application Configuration menu, VMware EDR Base Configuration tab.

    1. Update the index names to those created above

    2. Click the Save Application Configuration button to enable the App.

  4. Configure a proxy if needed from the Proxies tab

  5. The Administration > Application Health Overview menu shows errors during processing and can be very useful during troubleshooting

  6. The Administration > Application Usage menu provides insights into which Splunk users are using the app


For built-in data inputs, alert actions, and commands, create API Keys with the correct permissions in the Carbon Black EDR and then configure Splunk to use those keys.

Data Onboarding

To properly onboard the VMware CB EDR data, please follow the documentation. Once the data is configured via HEC, AWS S3, or file with UF, refer to this documentation to continue configuration.

Configuring Event Forwarder & S3 Inputs

Requirements and recommendations

The AWS add-on for Splunk is required for configuring S3 inputs. The add-on can be downloaded from Splunkbase. This add-on will be used to configure inputs for this Splunk app. Before configuring any inputs, you should create separate queues and S3 buckets for alert and endpoint events. A Carbon Black Event Forwarder must also be configured in order to forward data to the S3 buckets and to efficiently take in data, see the Event Forwarder Configuration section below.

Event Forwarder Configuration

An event forwarder must be created before any input can be received. This forwarder will be responsible for routing data to an S3 bucket where it can then be taken as input by Splunk. Configure your forwarder with filters to limit the amount of event data forwarded to Splunk in order to reduce costs. The forwarder installation guide for VMware CB EDR is located at Developer Network. It is recommended to follow the guide there, and then proceed with the installation and configuration of Splunk.

More details can be found at the CB Event Forwarder on Github.

Configure input in AWS Add-On

Before configuring the AWS inputs, make sure that the AWS add-on is properly installed in your Splunk environment. Get details for installing the AWS add-on from the Splunk documentation site. This documentation provides helpful information regarding the app and configuration settings.

The recommended approach to ingest Carbon Black EDR Event Forwarder data into Splunk is the SQS-based S3 data input.

Configuring input in AWS add-on to pull S3 using SQS S3

  • Set up the account on the Configuration page in the AWS Add-on

    • Set up the input on the Inputs page in the AWS Add-on

      • Create new input

      • Custom Data Type

      • SQS-based S3

      • Name: specify a name that should be used for this input

      • AWS Account: select account created in step 1

      • Assume Role: Depends on environment permissions

      • AWS Region: Region of the selected queue

      • SQS Queue Name: select queue that you created in AWS

      • SQS Batch Size: leave 10

      • S3 File Decoder: leave at Custom Logs

        • Source Type:

          • Set to vmware:cb:edr:json
        • Index: specify index where events should be written

          • This should be set to the same index as configured within VMware Carbon Black EDR base configurations

          • Advanced Settings: can set polling interval here

NOTE: If you need to reload older events and are using SQS to pull buckets, the events will not be available in the queue once they are retrieved. To view historical events or reload data, use the generic S3 option or copy the events to another prefix to copy it to the queue. |

User Guide

Initial Application Configuration

VMware Carbon Black EDR is configured from the Application Configuration menu option under the Administration menu.

  • VMware Base Configuration

    • The options configured on this page will update settings in local/eventtypes.conf.

    • VMware CB EDR Base Index: specify where the events from EDR will be searched. Required on the searching tier.

    • VMware CB EDR Action Index: specify where events generated from alert actions will be stored and/or searched. Required on the searching tier. Should be a single index. index=main

  • API Token Configuration

    • Use this tab to configure access to VMware Carbon Black EDR. The application supports multiple API Configurations to enable data from multiple Carbon Black EDR organizations to be ingested.
  • Alert Actions

    • All available alert actions will be displayed on this page.

    • See the Alert Actions section below for configuration details and considerations

  • Custom Commands

    • See the Custom Commands section below for configuration details and usage examples
      NOTE: Do not modify any configurations in ``/default``. Doing so will cause your changes to be overwritten when the app is upgraded. If required or directed to by support, create the appropriate configuration files in ``/local`` and include the stanza attributes that are being changed.


VMware Carbon Black EDR includes the following dashboards.

    • Application Health Overview (under the Administration menu option)

      • Use this page to get health and status information about any alerts, events, or API errors in the Carbon Black EDR. View total_failures, messages, and severity level for each instance.
  • Binary status

  • Endpoint status

  • Network Overview

  • Process Timeline

  • System Check

  • Binary Search

  • Process Search

  • Sensor Search

Release Notes

Version 3.0.2
Aug. 31, 2021

Updated for compatibility with SplunkJS upgrades.

Version 3.0.1
July 1, 2021
  • Updated Alert Actions tab to display only EDR alert actions.
Version 3.0.0
June 25, 2021

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.