Release notes for the Splunk Add-on for Carbon Black¶
Version 3.0.0 of the Splunk Add-on for Carbon Black was released on
Compatibility¶
Version 3.0.0 of the Splunk Add-on for Carbon Black is compatible with the following software, CIM versions, and platforms:
| Splunk platform versions | 9.x, 10.x |
| CIM | 6.1.0 |
| Platforms | Platform independent |
| Vendor products | Carbon Black Response 4.2, Carbon Black Response 6.3.1, Carbon Black Response 7.4.0, Carbon Black EDR 7.6.1, Carbon Black EDR 7.8.1 |
New features¶
The following new features were implemented:
-
Introduced a built-in dashboard that displays:
- The installed add-on version
- The total number of Carbon Black events ingested into Splunk
- A time-series graph showing Carbon Black events ingested into Splunk
- The count of events ingested from selected indexes, sources, and event types
- Event trends categorized by index
- CIM-supported events
-
Support for the newest version of CIM v6.1.0
- Support for latest product version Carbon Black EDR 7.8.1
- Version 3.0.0 is IPv6 compliant, ensuring compatibility with IPv6-based Splunk deployments.
- Added CIM support to the new events in sourcetype
bit9:carbonblack:json. The new events are listed in the table below along with their supported CIM data models:
| Event Name | CIM data model supported in this release |
|---|---|
| type=audit.log.useractivity path=”/api/logout” method=”GET” | Change:Account_Management |
| type=feed.query.hit.process feed_name=cbcommunity | Alerts |
| type=alert.watchlist.hit.query.process watchlist_name=Newly Installed Applications | Alerts |
| type=task.error.logged | Alerts |
Breaking Changes¶
- The data models of some of the events have been changed in the release v3.0.0. Details are mentioned in the table below:
| Source Type | Event Name | Old Data Model | New Data Model |
|---|---|---|---|
| bit9:carbonblack:json | type=binarystore.file.added | Endpoint:Filesystem | Alerts |
| bit9:carbonblack:json | type=watchlist.storage.hit.binary watchlist_name=Newly Loaded Modules | Endpoint:Filesystem | Alerts |
| bit9:carbonblack:json | type=watchlist.storage.hit.binary watchlist_name=Newly Executed Applications | Endpoint:Filesystem | Alerts |
| bit9:carbonblack:json | type=binaryinfo.observed | No DM | Alerts |
| bit9:carbonblack:json | type=binaryinfo.group.observed | No DM | Alerts |
| bit9:carbonblack:json | type=binaryinfo.host.observed | No DM | Endpoint:Filesystem |
| bit9:carbonblack:json | type=watchlist.hit.binary digsig_result=Signed watchlist_name=Newly Loaded Modules | Endpoint:Filesystem | Alerts |
| bit9:carbonblack:json | type=watchlist.hit.binary digsig_result=Unsigned watchlist_name=Newly Executed Applications | Endpoint:Filesystem | Alerts |
| bit9:carbonblack:json | type=watchlist.hit.binary digsig_result=Signed watchlist_name=Newly Executed Applications | Endpoint:Filesystem | Alerts |
| bit9:carbonblack:json | type=feed.synchronized | No DM | Alerts |
| bit9:carbonblack:json | type=feed.query.hit.process feed_name=bit9endpointvisibility | Endpoint:Processes | Alerts |
| bit9:carbonblack:json | type=feed.query.hit.process feed_name=attackframework | Endpoint:Processes | Alerts |
| bit9:carbonblack:json | type=feed.query.hit.process feed_name=bit9suspiciousindicators | Endpoint:Processes | Alerts |
| bit9:carbonblack:json | type=feed.storage.hit.process feed_name=bit9endpointvisibility | Endpoint:Processes | Alerts |
| bit9:carbonblack:json | type=feed.storage.hit.process feed_name=attackframework | Endpoint:Processes | Alerts |
| bit9:carbonblack:json | type=feed.storage.hit.process feed_name=bit9suspiciousindicators | Endpoint:Processes | Alerts |
| bit9:carbonblack:json | type=watchlist.hit.binary digsig_result=Unsigned watchlist_name=Newly Loaded Modules | Endpoint:Filesystem | Alerts |
| bit9:carbonblack:json | type=audit.log.useractivity path=”/api/auth” method=”POST” | No DM | Change:All_Changes |
| bit9:carbonblack:json | type=audit.log.useractivity path=”/api/v1/settings/global/advanced” method=”GET” | No DM | Change:All_Changes |
| bit9:carbonblack:json | type=audit.log.useractivity path=”/api/v1/settings/global/advanced” method=”POST” | No DM | Change:All_Changes |
- Fields extraction of some of the events have been changed in the release 3.0.0. Details are mentioned in the table below
| Source Type | Event Name | Fields Changed |
|---|---|---|
| bit9:carbonblack:json | type=watchlist.storage.hit.process watchlist_name=Autoruns | dest, process_hash |
| bit9:carbonblack:json | type=ingress.event.childproc childproc_type=Exec | os, parent_process, parent_process_exec, parent_process_id, parent_process_name, parent_process_path, process, process_current_directory, process_exec, process_hash, process_guid, process_id, process_name, process_path |
| bit9:carbonblack:json | type=ingress.event.moduleload | original_file_name, os, parent_process, parent_process_exec, parent_process_id, parent_process_guid, parent_process_name, parent_process_path, process, process_current_directory, process_exec, process_hash, process_guid, process_id, process_name, process_path |
| bit9:carbonblack:json | type=ingress.event.procstart | os, parent_process, process_hash |
| bit9:carbonblack:json | type=ingress.event.netconn direction=outbound | app, src_ip, src_translated_ip |
| bit9:carbonblack:json | type=ingress.event.netconn direction=inbound | app, src_ip, src_translated_ip, transport |
| bit9:carbonblack:json | type=ingress.event.module digsig.result=Signed | action, file_name, file_path |
| bit9:carbonblack:json | type=ingress.event.module digsig.result=Unsigned | action, file_name, file_path |
| bit9:carbonblack:json | type=watchlist.storage.hit.process watchlist_name=Non-System Filemods to system32 | dest, process_hash |
| bit9:carbonblack:json | type=ingress.event.remotethread | os, parent_process, parent_process_exec, parent_process_id, parent_process_guid, parent_process_name, parent_process_path, process, process_exec, process_hash, process_guid, process_id, process_name, process_path |
| bit9:carbonblack:json | type=watchlist.storage.hit.process watchlist_name=Newly Installed Applications | dest, process_hash |
| bit9:carbonblack:json | type=alert.watchlist.hit.query.binary digsig_result=Unsigned | description, dest, dest_type, signature, signature_id, src_type |
| bit9:carbonblack:json | type=alert.watchlist.hit.query.binary digsig_result=Signed | description, dest, dest_type, signature, signature_id, src_type |
| bit9:carbonblack:json | type=ingress.event.crossprocopen cross_process_type=open_process | os, parent_process, parent_process_exec, parent_process_id, parent_process_guid, parent_process_name, parent_process_path, process, process_exec, process_hash, process_guid, process_id, process_name, process_path |
| bit9:carbonblack:json | type=ingress.event.crossprocopen cross_process_type=open_thread | os, parent_process, parent_process_exec, parent_process_id, parent_process_guid, parent_process_name, parent_process_path, process, process_exec, process_hash, process_guid, process_id, process_name, process_path |
| bit9:carbonblack:json | type=ingress.event.procend | action, os, parent_process_guid, process |
| bit9:carbonblack:json | type=ingress.event.childproc childproc_type=Fork | os, parent_process, parent_process_exec, parent_process_id, parent_process_name, parent_process_path, process |
| bit9:carbonblack:json | type=ingress.event.childproc childproc_type=OtherExec | os, parent_process, parent_process_exec, parent_process_id, parent_process_name, parent_process_path, process |
| bit9:carbonblack:json | type=alert.watchlist.hit.query.process watchlist_name:Autoruns | description, dest, signature, signature_id, src_type |
| bit9:carbonblack:json | type=ingress.event.regmod action=createkey | registry_hive |
Fixed issues¶
Version 3.0.0 of the Splunk Add-on for Carbon Black fixes the following issues. If no issue appear, then there are no bug fixes reported.
Known issues¶
Version 3.0.0 of the Splunk Add-on for Carbon Black contains the following known issues. If no issues appear, no issues have yet been reported.
Third-party software attributions¶
Version 3.0.0 of the Splunk Add-on for Carbon Black incorporates the following third-party software or libraries.