VMware Carbon Black EDR Documentation

Overview

About VMware Carbon Black EDR

VMware Carbon Black EDR allows a Carbon Black EDR administrator or analyst to interact with the CB EDR product.

License

This software is licensed under the MIT license:
The MIT License (MIT) Copyright (c) 2021 VMware, Inc. and Aplura, LLC. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the Software), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED AS IS, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Scripts and binaries

For more information on these scripts, and what they do, please refer to the Initial Application Configuration section of this document.

This app includes the following scripts:

Release notes

Version 3.0.4 of VMware Carbon Black EDR has the following known issues:

• None

Version 3.0.4

• Updated CBAPI library to support pagination

About this release

Version 3.0.4 of VMware Carbon Black EDR is compatible with:

Support and resources

Questions and answers

Access questions and answers specific to VMware Carbon Black EDR at https://answers.splunk.com . Be sure to tag your question with the name of the app: Carbon Black EDR Splunk App.

Support

• Support Offered: Splunk Answers, Community Engagement, VMware Carbon Black Support

• View all API and integration offerings on the Developer Network along with reference documentation, video tutorials, and how-to guides.

• Use the Developer Community Forum to discuss issues and get answers from other API developers in the Carbon Black Community.

• Report bugs and change requests to Carbon Black Support.

Diagnostics Generation

If a support representative asks for it, a support diagnostic file can be generated. Use the following command to generate the file. Send the resulting file to support.

$SPLUNK_HOME/bin/splunk diag --collect=app:vmware_cb_edr_app_for_splunk

Troubleshooting

Internal Splunk Logs

index=_internal source=/opt/splunk/var/log/splunk/vmware_cb_edr_app_for_splunk/*

Indexed Error Logs

index=main sourcetype=vmware:cb:edr:*:error

Migration from v2.2.0 to v3.0.0

Migration specifics for moving from v2.2.0 of the DA-ESS-cbresponse app to v3.0.0 of the vmware_cb_edr_app_for_splunk are below. Please make sure to check Splunk version compatibility prior to migration.

Migration while using HEC inputs

1. Install v3.0.0 of the vmware_cb_edr_app_for_splunk from Splunkbase on the Search Tier of your environment.

2. Install v3.0.0 of the TA-vmware_cb_edr_app_for_splunk from Splunkbase on the Indexing Tier of your environment.

3. Update/Create the Splunk HEC input to use the new sourcetype vmware:cb:edr:json

Migration while using AWS S3 inputs

1. Install v3.0.0 of the vmware_cb_edr_app_for_splunk from Splunkbase on the Search Tier of your environment.

2. Install v3.0.0 of the TA-vmware_cb_edr_app_for_splunk from Splunkbase on the Indexing Tier of your environment.

3. Update/Create the AWS S3 input to use the new sourcetype vmware:cb:edr:json

Migration while using event_bridge_output.json

1. Install v3.0.0 of the vmware_cb_edr_app_for_splunk from Splunkbase on the Search Tier of your environment.

2. Install v3.0.0 of the TA-vmware_cb_edr_app_for_splunk from Splunkbase on the Indexing Tier of your environment.

3. Update the sourcetype setting of inputs.conf of the Universal Forwarder to vmware:cb:edr:json

Update Event types

If the old data using the bit9:carbonblack:json sourcetype is to be integrated into the new apps, please update the following eventtypes for your environment:

1. • vmware_cb_edr

     • Update this to have the older sourcetype

     • eventtype=vmware_cb_edr_base_index sourcetype IN (vmware:cb:edr:json, bit9:carbonblack:json)

Installation and Configuration

Software requirements

Splunk Enterprise system requirements

Because this App runs on Splunk Enterprise, all of the Splunk Enterprise system requirements apply.

Download

Download VMware Carbon Black EDR at https://splunkbase.splunk.com/app/5624/.

Deployment Guide

Note: Installing the VMware EDR TA or IA on the same node as the App is an unsupported configuration that may result in instability or errors. If you are seeing the error message More than 1 VMware EDR App detected, refer to the recommendations below for which Apps/Add-ons should be installed on which node and fully delete (not just disable) extra copies of VMware EDR apps/add-ons from nodes where they are not needed. Then restart Splunk on that node.

• • Single Instance (8.0+)

    • Only the VMware Carbon Black EDR App

• • Single Instance + Heavy Forwarder (8.0+)

    • • Single Instance:

        • VMware Carbon Black EDR App

    • • Heavy Forwarder:

        • VMware Carbon Black EDR App

• • Distributed deployment (8.0+)

    • • Heavy Forwarder:

        • VMware Carbon Black EDR App

    • • Search Head:

        • VMware Carbon Black EDR App

    • • Indexer:

        • TA-vmware_cb_edr_app_for_splunk

• • Splunk Cloud

    • Contact Splunk Cloud Support handle this installation.

Configuration

1. Deploy the Apps and/or Add-ons per the Deployment Guide above.

2. Create the index(s) for your data (if required)

   1. One index for the Carbon Black EDR data

   2. • One index for the results of the Alert Actions

        1. This can be the same index as the EDR data

3. Navigate to the Administration > Application Configuration menu, VMware EDR Base Configuration tab.

   1. Update the index names to those created above

   2. Click the Save Application Configuration button to enable the App.

4. Configure a proxy if needed from the Proxies tab

5. The Administration > Application Health Overview menu shows errors during processing and can be very useful during troubleshooting

6. The Administration > Application Usage menu provides insights into which Splunk users are using the app

Authorization

For built-in data inputs, alert actions, and commands, create API Keys with the correct permissions in the Carbon Black EDR and then configure Splunk to use those keys.

Data Onboarding

To properly onboard the VMware CB EDR data, please follow the documentation. Once the data is configured via HEC, AWS S3, or file with UF, refer to this documentation to continue configuration.

Configuring Event Forwarder & S3 Inputs

Requirements and recommendations

The AWS add-on for Splunk is required for configuring S3 inputs. The add-on can be downloaded from Splunkbase. This add-on will be used to configure inputs for this Splunk app. Before configuring any inputs, you should create separate queues and S3 buckets for alert and endpoint events. A Carbon Black Event Forwarder must also be configured in order to forward data to the S3 buckets and to efficiently take in data, see the Event Forwarder Configuration section below.

Event Forwarder Configuration

An event forwarder must be created before any input can be received. This forwarder will be responsible for routing data to an S3 bucket where it can then be taken as input by Splunk. Configure your forwarder with filters to limit the amount of event data forwarded to Splunk in order to reduce costs. The forwarder installation guide for VMware CB EDR is located at Developer Network. It is recommended to follow the guide there, and then proceed with the installation and configuration of Splunk.

More details can be found at the CB Event Forwarder on Github.

Configure input in AWS Add-On

Before configuring the AWS inputs, make sure that the AWS add-on is properly installed in your Splunk environment. Get details for installing the AWS add-on from the Splunk documentation site. This documentation provides helpful information regarding the app and configuration settings.

The recommended approach to ingest Carbon Black EDR Event Forwarder data into Splunk is the SQS-based S3 data input.

Configuring input in AWS add-on to pull S3 using SQS S3

• Set up the account on the Configuration page in the AWS Add-on

• • Set up the input on the Inputs page in the AWS Add-on

    • Create new input

    • Custom Data Type

    • SQS-based S3

    • Name: specify a name that should be used for this input

    • AWS Account: select account created in step 1

    • Assume Role: Depends on environment permissions

    • AWS Region: Region of the selected queue

    • SQS Queue Name: select queue that you created in AWS

    • SQS Batch Size: leave 10

    • S3 File Decoder: leave at Custom Logs

    • • Source Type:

        • Set to vmware:cb:edr:json

    • • Index: specify index where events should be written

        • This should be set to the same index as configured within VMware Carbon Black EDR base configurations

        • Advanced Settings: can set polling interval here

NOTE: If you need to reload older events and are using SQS to pull buckets, the events will not be available in the queue once they are retrieved. To view historical events or reload data, use the generic S3 option or copy the events to another prefix to copy it to the queue. |

User Guide

Initial Application Configuration

VMware Carbon Black EDR is configured from the Application Configuration menu option under the Administration menu.

• VMware Base Configuration

  • The options configured on this page will update settings in local/eventtypes.conf.

  • VMware CB EDR Base Index: specify where the events from EDR will be searched. Required on the searching tier.

  • VMware CB EDR Action Index: specify where events generated from alert actions will be stored and/or searched. Required on the searching tier. Should be a single index. index=main

• API Token Configuration

  • Use this tab to configure access to VMware Carbon Black EDR. The application supports multiple API Configurations to enable data from multiple Carbon Black EDR organizations to be ingested.

• Alert Actions

  • All available alert actions will be displayed on this page.

  • See the Alert Actions section below for configuration details and considerations

• Custom Commands

  • See the Custom Commands section below for configuration details and usage examples
    NOTE: Do not modify any configurations in ``/default``. Doing so will cause your changes to be overwritten when the app is upgraded. If required or directed to by support, create the appropriate configuration files in ``/local`` and include the stanza attributes that are being changed.

Dashboards

VMware Carbon Black EDR includes the following dashboards.

• • Application Health Overview (under the Administration menu option)

    • Use this page to get health and status information about any alerts, events, or API errors in the Carbon Black EDR. View total_failures, messages, and severity level for each instance.

• Binary status

• Endpoint status

• Network Overview

• Process Timeline

• System Check

• Binary Search

• Process Search

• Sensor Search

Alert Actions

• Alert Configuration Notes: The global configurations referenced below are configured under Administration/Application Configuration under the Alert Actions tab.

• ALL search results that are being passed to the alert actions are required to have a host field that corresponds to the correct Organization Name as configured in the API Configuration Tab.

• If you use multi-tenancy, include the host field with the corresponding value in the Splunk search query. This value is the Organization Name found in the API Token Configuration.

• By default when a new alert is created in Splunk the parameter action.*.param.api_config = \<api_config guid> will be added to the savedsearches.conf file in the VMware Carbon Black EDR local directory. If you need to change credentials used on an alert action in the Application Configuration dashboard then all previously created alerts that were using the old credential needs to be changed. After updating credentials, delete the above parameter from the savedsearches.conf file for the appropriate saved search and restart Splunk.

VMware Carbon Black EDR includes the following alert actions:

• • Kill Process

    • Remotely kill a process on the devices specified in the search

    • • Search Configuration

        • Device ID Field: the field name that contains the device id to list processes.

        • Process Field: the field name that contains the process name to kill.

• • Isolate Sensor

    • Isolating the specified device(s) prevents suspicious activity and malware from affecting the rest of your network. The device(s) will only be able to communicate with Carbon Black EDR until unisolated

    • • Search Configuration

        • Device ID Field: the field name that contains the device id to isolate.

• • Un-isolate Sensor

    • Remove the specified device from the isolated state, allowing it to communicate normally on the network.

    • • Search Configuration

        • Device ID Field: the field name that contains the device id to un-isolate.

• • Ban Hash

    • Add the MD5 in the Splunk result set into VMware CB EDR banned hashes.

    • • Search Configuration

        • Hash field name: The field name that contains the hash to ban.

Custom Commands

VMware Carbon Black EDR includes the following custom commands (default/commands.conf).

• • edrbinarysearch

    • Searches EDR for binaries.

    • Example: |edrbinarysearch query="md5:fd3cee0bbc4e55838e65911ff19ef6f5"

• • edrsensorsearch

    • Searches EDR for sensors.

    • Example: |edrsensorsearch query="ip:172.22.5.141"

• • edrprocesssearch

    • Searches EDR for processes.

    • Example: edrprocesssearch query="process_name:cmd.exe"