VMware Carbon Black EDR Documentation

Overview

About VMware Carbon Black EDR

VMware Carbon Black EDR allows a Carbon Black EDR administrator or analyst to interact with the CB EDR product.

License

This software is licensed under the MIT license:
The MIT License (MIT) Copyright (c) 2021 VMware, Inc. and Aplura, LLC. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the Software), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED AS IS, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Scripts and binaries

For more information on these scripts, and what they do, please refer to the Initial Application Configuration section of this document.

This app includes the following scripts:

Release notes

Version 3.0.2 of VMware Carbon Black EDR has the following known issues:

• None

Version 3.0.2

• Updated SimpleXML to v1.1 and confirmed jQuery 3.5

Version 3.0.1

• Alert Actions displayed both CBC and EDR actions. This has been fixed.

Version 3.0.0

• Initial Release

• • Features

    • • Alert Actions

        • Ban Hash

        • Isolate Sensor

        • Unisolate Sensor

        • Kill Process

    • • Custom Commands

        • Binary Search

        • Process Search

        • Sensor Search

    • • Support for CIM

        • Alerts

        • Endpoint

        • Intrusion Detection

        • Network Traffic

About this release

Version 3.0.2 of VMware Carbon Black EDR is compatible with:

Support and resources

Questions and answers

Access questions and answers specific to VMware Carbon Black EDR at https://answers.splunk.com . Be sure to tag your question with the name of the app: Carbon Black EDR Splunk App.

Support

• Support Offered: Splunk Answers, Community Engagement, VMware Carbon Black Support

• View all API and integration offerings on the Developer Network along with reference documentation, video tutorials, and how-to guides.

• Use the Developer Community Forum to discuss issues and get answers from other API developers in the Carbon Black Community.

• Report bugs and change requests to Carbon Black Support.

Diagnostics Generation

If a support representative asks for it, a support diagnostic file can be generated. Use the following command to generate the file. Send the resulting file to support.

$SPLUNK_HOME/bin/splunk diag --collect=app:vmware_cb_edr_app_for_splunk

Troubleshooting

Internal Splunk Logs

index=_internal source=/opt/splunk/var/log/splunk/vmware_cb_edr_app_for_splunk/*

Indexed Error Logs

index=main sourcetype=vmware:cb:edr:*:error

Migration from v2.2.0 to v3.0.0

Migration specifics for moving from v2.2.0 of the DA-ESS-cbresponse app to v3.0.0 of the vmware_cb_edr_app_for_splunk are below. Please make sure to check Splunk version compatibility prior to migration.

Migration while using HEC inputs

1. Install v3.0.0 of the vmware_cb_edr_app_for_splunk from Splunkbase on the Search Tier of your environment.

2. Install v3.0.0 of the TA-vmware_cb_edr_app_for_splunk from Splunkbase on the Indexing Tier of your environment.

3. Update/Create the Splunk HEC input to use the new sourcetype vmware:cb:edr:json

Migration while using AWS S3 inputs

1. Install v3.0.0 of the vmware_cb_edr_app_for_splunk from Splunkbase on the Search Tier of your environment.

2. Install v3.0.0 of the TA-vmware_cb_edr_app_for_splunk from Splunkbase on the Indexing Tier of your environment.

3. Update/Create the AWS S3 input to use the new sourcetype vmware:cb:edr:json

Migration while using event_bridge_output.json

1. Install v3.0.0 of the vmware_cb_edr_app_for_splunk from Splunkbase on the Search Tier of your environment.

2. Install v3.0.0 of the TA-vmware_cb_edr_app_for_splunk from Splunkbase on the Indexing Tier of your environment.

3. Update the sourcetype setting of inputs.conf of the Universal Forwarder to vmware:cb:edr:json

Update Event types

If the old data using the bit9:carbonblack:json sourcetype is to be integrated into the new apps, please update the following eventtypes for your environment:

1. • vmware_cb_edr

     • Update this to have the older sourcetype

     • eventtype=vmware_cb_edr_base_index sourcetype IN (vmware:cb:edr:json, bit9:carbonblack:json)

Changes from v2.2.0 to v3.0.0

1. Removed the datamodel CbResponse

2. • Commands

     1. Renamed binarysearch to edrbinarysearch

     2. Renamed processsearch to edrprocesssearch

     3. Renamed sensorsearch to edrsensorsearch

3. • Alert Actions (stanza ids)

     1. Renamed banhash to vmware-edr-ban-hash

     2. Renamed isolatesensor to vmware-edr-isolate-device

     3. Renamed killprocess to vmware-edr-kill-process

     4. Added vmware-edr-unisolate-device

4. • Workflow Actions (stanza ids)

     1. Renamed sensor_info_by_ip to vmware_edr_sensor_info_by_ip

     2. Renamed md5binarysearch to vmware_md5binarysearch

     3. Renamed ipsearch to vmware_ipsearch

     4. Renamed md5processsearch to vmware_md5processsearch

     5. Renamed deeplinkprocess to vmware_edr_deeplink_process

     6. Renamed deeplinksensor to vmware_edr_deeplink_sensor

     7. Renamed VMware Carbon Black EDR Deep Link to $link_target$ to vmware_edr_deeplink_target

     8. Renamed VMware Carbon Black EDR Deep Link to $link_parent$ to vmware_edr_deeplink_parent

     9. Renamed VMware Carbon Black EDR Deep Link to $link_child$ to vmware_edr_deeplink_child

     10. Renamed VMware Carbon Black EDR Process Search from NetConn to vmware_search_process_netconn

     11. Renamed VMware Carbon Black EDR Process Search on Filename to vmware_search_process_file_name

     12. Renamed VMware Carbon Black EDR Process Search on Domain to vmware_search_process_domain

     13. Added vmware_edr_deeplink_md5

5. • Saved Searches

     1. Disabled by default. Enable those that are needed.

6. • Dashboards

     1. Removed setup_page.xml and Setup.xml

     2. Added new configuration page App_Config.xml

     3. Renamed and updated various dashboards for branding/efficiency.

Installation and Configuration

Software requirements

Splunk Enterprise system requirements

Because this App runs on Splunk Enterprise, all of the Splunk Enterprise system requirements apply.

Download

Download VMware Carbon Black EDR at https://splunkbase.splunk.com/app/5624/.

Deployment Guide

Note: Installing the VMware EDR TA or IA on the same node as the App is an unsupported configuration that may result in instability or errors. If you are seeing the error message More than 1 VMware EDR App detected, refer to the recommendations below for which Apps/Add-ons should be installed on which node and fully delete (not just disable) extra copies of VMware EDR apps/add-ons from nodes where they are not needed. Then restart Splunk on that node.

• • Single Instance (8.0+)

    • Only the VMware Carbon Black EDR App

• • Single Instance + Heavy Forwarder (8.0+)

    • • Single Instance:

        • VMware Carbon Black EDR App

    • • Heavy Forwarder:

        • VMware Carbon Black EDR App

• • Distributed deployment (8.0+)

    • • Heavy Forwarder:

        • VMware Carbon Black EDR App

    • • Search Head:

        • VMware Carbon Black EDR App

    • • Indexer:

        • TA-vmware_cb_edr_app_for_splunk

• • Splunk Cloud

    • Contact Splunk Cloud Support handle this installation.

Configuration

1. Deploy the Apps and/or Add-ons per the Deployment Guide above.

2. Create the index(s) for your data (if required)

   1. One index for the Carbon Black EDR data

   2. • One index for the results of the Alert Actions

        1. This can be the same index as the EDR data

3. Navigate to the Administration > Application Configuration menu, VMware EDR Base Configuration tab.

   1. Update the index names to those created above

   2. Click the Save Application Configuration button to enable the App.

4. Configure a proxy if needed from the Proxies tab

5. The Administration > Application Health Overview menu shows errors during processing and can be very useful during troubleshooting

6. The Administration > Application Usage menu provides insights into which Splunk users are using the app

Authorization

For built-in data inputs, alert actions, and commands, create API Keys with the correct permissions in the Carbon Black EDR and then configure Splunk to use those keys.

Data Onboarding

To properly onboard the VMware CB EDR data, please follow the documentation. Once the data is configured via HEC, AWS S3, or file with UF, refer to this documentation to continue configuration.

Configuring Event Forwarder & S3 Inputs

Requirements and recommendations

The AWS add-on for Splunk is required for configuring S3 inputs. The add-on can be downloaded from Splunkbase. This add-on will be used to configure inputs for this Splunk app. Before configuring any inputs, you should create separate queues and S3 buckets for alert and endpoint events. A Carbon Black Event Forwarder must also be configured in order to forward data to the S3 buckets and to efficiently take in data, see the Event Forwarder Configuration section below.

Event Forwarder Configuration

An event forwarder must be created before any input can be received. This forwarder will be responsible for routing data to an S3 bucket where it can then be taken as input by Splunk. Configure your forwarder with filters to limit the amount of event data forwarded to Splunk in order to reduce costs. The forwarder installation guide for VMware CB EDR is located at Developer Network. It is recommended to follow the guide there, and then proceed with the installation and configuration of Splunk.

More details can be found at the CB Event Forwarder on Github.

Configure input in AWS Add-On

Before configuring the AWS inputs, make sure that the AWS add-on is properly installed in your Splunk environment. Get details for installing the AWS add-on from the Splunk documentation site. This documentation provides helpful information regarding the app and configuration settings.

The recommended approach to ingest Carbon Black EDR Event Forwarder data into Splunk is the SQS-based S3 data input.

Configuring input in AWS add-on to pull S3 using SQS S3

• Set up the account on the Configuration page in the AWS Add-on

• • Set up the input on the Inputs page in the AWS Add-on

    • Create new input

    • Custom Data Type

    • SQS-based S3

    • Name: specify a name that should be used for this input

    • AWS Account: select account created in step 1

    • Assume Role: Depends on environment permissions

    • AWS Region: Region of the selected queue

    • SQS Queue Name: select queue that you created in AWS

    • SQS Batch Size: leave 10

    • S3 File Decoder: leave at Custom Logs

    • • Source Type:

        • Set to vmware:cb:edr:json

    • • Index: specify index where events should be written

        • This should be set to the same index as configured within VMware Carbon Black EDR base configurations

        • Advanced Settings: can set polling interval here

NOTE: If you need to reload older events and are using SQS to pull buckets, the events will not be available in the queue once they are retrieved. To view historical events or reload data, use the generic S3 option or copy the events to another prefix to copy it to the queue. |

User Guide

Initial Application Configuration

VMware Carbon Black EDR is configured from the Application Configuration menu option under the Administration menu.

• VMware Base Configuration

  • The options configured on this page will update settings in local/eventtypes.conf.

  • VMware CB EDR Base Index: specify where the events from EDR will be searched. Required on the searching tier.

  • VMware CB EDR Action Index: specify where events generated from alert actions will be stored and/or searched. Required on the searching tier. Should be a single index. index=main

• API Token Configuration

  • Use this tab to configure access to VMware Carbon Black EDR. The application supports multiple API Configurations to enable data from multiple Carbon Black EDR organizations to be ingested.

• Alert Actions

  • All available alert actions will be displayed on this page.

  • See the Alert Actions section below for configuration details and considerations

• Custom Commands

  • See the Custom Commands section below for configuration details and usage examples
    NOTE: Do not modify any configurations in ``/default``. Doing so will cause your changes to be overwritten when the app is upgraded. If required or directed to by support, create the appropriate configuration files in ``/local`` and include the stanza attributes that are being changed.

Dashboards

VMware Carbon Black EDR includes the following dashboards.

• • Application Health Overview (under the Administration menu option)

    • Use this page to get health and status information about any alerts, events, or API errors in the Carbon Black EDR. View total_failures, messages, and severity level for each instance.

• Binary status

• Endpoint status

• Network Overview

• Process Timeline

• System Check

• Binary Search

• Process Search

• Sensor Search