Skip to content

Overview

Release notes and release history for the Splunk Add-on for Carbon Black

The release notes cover compatibility for software, Common Information Model (CIM) versions, and platforms.

Release notes 2.1.0 (latest)

Version 2.1.0 of the Splunk Add-on for Carbon Black was released on March 7, 2022.

Compatibility

Version 2.1.0 of the Splunk Add-on for Carbon Black is compatible with the following software, CIM versions, and platforms:
Splunk platform versions 8.1.x, 8.2.x
CIM 5.0.0
Platforms Platform independent
Vendor products Carbon Black Response 4.2, Carbon Black Response 6.3.1, Carbon Black Response 7.4.0, Carbon Black EDR 7.6.1

New features

  • Added support for the latest Carbon Black EDR version v7.6.1.
  • Provided compatibility with the latest CIM version v5.0.0.
  • Fixed the _time field extraction issue when data is collected over HEC. Previously, _time indicated the ingestion time of the event. As of this version, the actual timestamp value in the event is used.
  • Fixed extraction for the file_path field to extract with a single slash instead of double slashes.
  • Corrected the user field extraction by removing incorrect values for some events.

Fixed issues

Version 2.1.0 of the Splunk Add-on for Carbon Black fixes the following issues. If no issue appear, then there are no bug fixes reported.

Known issues

Version 2.1.0 of the Splunk Add-on for Carbon Black contains the following known issues. If no issues appear, no issues have yet been reported.

Third-party software attributions

Version 2.1.0 of the Splunk Add-on for Carbon Black incorporates the following third-party software or libraries.

Version 2.0.0

Version 2.0.0 of the Splunk Add-on for Carbon Black was released on May 8, 2021

Compatibility

Version 2.0.0 is compatible with the following software, CIM versions, and platforms.
Splunk platform versions 7.3.x, 8.0.x, 8.1.x
CIM 4.18.1
Platforms Platform independent
Vendor Products Carbon Black Response 4.2, Carbon Black Response 6.3.1, Carbon Black Response 7.4.0

New features

  • Compatibility for Carbon Black Response Server 7.4.0
  • Compatibility for cb-event-forwarder 3.7.4
  • Compatibility for CIM 4.18.1
  • CIM field process & process_exec & process_name will have the same value if the events contains only process_path.
  • Extraction for CIM field registry_path has been fixed in the latest release 2.0.0.
  • Extraction for CIM field process_pid has been fixed in the latest release 2.0.0.
  • New CIM field mapping process_hash has been added in this release and a non CIM field parent_process_hash added to capture the md5 hash of the parent process.
  • Starting with version 2.0.0, the tagging has been modified and updated as per the following table:
Event type Data model
bit9_carbonblack_alert
bit9_carbonblack_change_analysis
bit9_carbonblack_application_state
bit9_carbonblack_network
carbonblack_endpoint_processes
carbonblack_endpoint_processes
carbonblack_endpoint_filesystem
carbonblack_endpoint_registry
edr_carbonblack_alert Alert
edr_carbonblack_network Network Traffic
edr_carbonblack_endpoint_processes Endpoint Processes
edr_carbonblack_endpoint_registry Endpoint Registry
edr_carbonblack_endpoint_filesystem Endpoint Filesystem
  • As of version 2.0.0, the values for product and vendor_product are as follows:
Field Value in version 1.1.0 Value in version 2.0.0
product CB Response EDR
vendor_product Carbon Black CB Response Carbon Black EDR

Fixed issues

Version 2.0.0 of the Splunk Add-on for Carbon Black fixes the following issues. If no issue appear, then there are no bug fixes reported.

Known issues

Version 2.0.0 of the Splunk Add-on for Carbon Black contains the following known issues. If no issues appear, no issues have yet been reported.

Third-party software attributions

Version 2.0.0 of the Splunk Add-on for Carbon Black does not incorporate any third-party software or libraries.

Version 1.1.0

Compatibility

Version 1.1.0 of the Splunk Add-on for Carbon Black is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.6.x, 7.0.x, 7.1.x, 7.2.x, 7.3.x
CIM 4.13
Platforms Platform independent
Vendor Products Carbon Black Response 4.2+, Carbon Black Response 6.3.1

New features

  • Improved load balancing on the universal forwarder
  • Compatibility for Carbon Black Response Server 6.3.1
  • Compatibility for cb-event-forwarder 3.5.0
  • Compatibility for CIM 4.13
  • Updated inputs.conf.template to monitor directory instead of file
  • Starting in version 1.1.0, the values for vendor, product and vendor_product have been updated as below:-
Field Value in version 1.0.1 Value in version 1.1.0
vendor Bit9 Carbon Black
product Carbon Black CB Response
vendor_product Bit9 Carbon Black Carbon Black CB Response

Fixed issues

Version 1.1.0 of the Splunk Add-on for Carbon Black fixes the following issues. If no issue appear, then there are no bug fixes reported.

Known issues

Version 1.1.0 of the Splunk Add-on for Carbon Black contains the following known issues. If no issues appear, no issues have yet been reported.

Third-party software attributions

Version 1.1.0 of the Splunk Add-on for Carbon Black does not incorporate any third-party software or libraries.

Version 1.0.1

Compatibility

Version 1.0.1 of the Splunk Add-on for Bit9 Carbon Black is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.6.x, 7.0.x, 7.1.x, 7.2.x
CIM 4.11
Platforms Platform independent
Vendor Products Carbon Black Server (CBS) 4.2 or later

Fixed issues

Version 1.0.1 of the Splunk Add-on for Bit9 Carbon Black fixes the following issues. If no issue appear, then there are no bug fixes reported.

Known issues

Version 1.0.1 of the Splunk Add-on for Bit9 Carbon Black contains the following known issues. If no issues appear, no issues have yet been reported.

Third-party software attributions

Version 1.0.1 of the Splunk Add-on for Splunk Add-on for Bit9 Carbon Black does not incorporate any third-party software or libraries.

Version 1.0.0

Compatibility

Version 1.0.0 of the Splunk Add-on for Bit9 Carbon Black has the same compatibility specifications as version 1.0.1.

New features

Version 1.0.0 of the Splunk Add-on for Bit9 Carbon Black has the following new features.

Known issues

Version 1.0.0 of the Splunk Add-on for Bit9 Carbon Black contains the following known issues. If no issues appear, no issues have yet been reported.

Third-party software attributions

Version 1.0.0 of the Splunk Add-on for Splunk Add-on for Bit9 Carbon Black does not incorporate any third-party software or libraries.

About the Splunk Add-on for Carbon Black

Component Description
Version 2.1.0
Vendor Product(s) Carbon Black Response 4.2+, Carbon Black Response 6.3.1, Carbon Black EDR 7.4.0, Carbon Black EDR 7.6.1

Note

As of version 1.1.0, the Splunk Add-on for Bit9 Carbon Black is now called the Splunk Add-on for Carbon Black.

Use the Splunk Add-on for Carbon Black to collect notifications and event data in JSON format from Carbon Black Response servers over a pub/sub bus. The add-on collects watchlist hit, feed hit, new binary instance, and binary file upload complete notifications, as well as raw endpoint events.

Release notes and release history

For a summary of new features, fixed issues, and known issues and for more information on release history, see Release notes for the Splunk Add-on for Carbon Black.

Compatibility

This add-on provides the inputs and Common Information Model (CIM)-compatible knowledge to use with other Splunk apps, such as Splunk Enterprise Security and the Splunk App for PCI Compliance.

For detailed information about compatibility with other software, CIM versions, and platforms, see the Release notes for the SplunkAdd-on for Carbon Black.

Source types and lookups

For more information about the source types for the Add-on for Carbon Black, see the Source types.

Download the add-on

You can download the Splunk Add-on for Carbon Black from Splunkbase.

Install and configure the add-on

To install and configure the Splunk Add-on for Carbon Black, see Installation and configuration overview.

Hardware and software requirements

For more information, see Hardware and software requirements.

Additional resources

For more information, see Questions related to Splunk Add-on for Carbon Black on Splunk Answers.

See Troubleshooting guidelines specific for this add-on.

Hardware and software requirements for the Splunk Add-on for Carbon Black

Carbon Black requirements

This add-on consumes Carbon Black event data from a JSON file configured through file_monitor. You download and run the Carbon Black Event Forwarder utility (cb-event-forwarder) in order to generate the JSON file. Splunk monitors the JSON file that is generated by this utility.

The cb-event-forwarder utility and installation instructions are available on GitHub at GitHub - cb-event-forwarder.

Splunk platform requirements

Because this add-on runs on the Splunk platform, all of the system requirements apply for the Splunk software that you use to run this add-on.

Splunk Enterprise

For Splunk Enterprise system requirements, see System requirements for use of Splunk Enterprise on-premises in the Splunk Enterprise Installation Manual.

Splunk Cloud Platform

If you are managing on-premises forwarders to get data into Splunk Cloud Platform, see System requirements for use of Splunk Enterprise on-premises in the Splunk Enterprise Installation Manual, which includes information about forwarders.

Installation and configuration overview for the Splunk Add-on for Carbon Black

To install and configure the Splunk Add-on for Carbon Black on your supported platform, complete the following steps:

  1. Download the Splunk Add-on for Carbon Black

  2. Install the Splunk Add-On for Carbon Black

  3. Download the Carbon Black Event Forwarder utility

  4. Configure your Carbon Black instance to generate and send events to Splunk

Ended: Overview

Installation and configuration

Install the Splunk Add-on for Carbon Black

Use the tables below to determine where and how to install this add-on in a distributed deployment of Splunk Enterprise. See the installation walkthrough section at the bottom of this page for links to installation instructions specific to a single-instance deployment, distributed deployment, Splunk Cloud, or Splunk Light.

Distributed installation of this add-on

This table provides a quick reference for installing this add-on to a distributed deployment of Splunk Enterprise.

Splunk instance type Supported Required Comments
Search Heads Yes Yes Install this add-on to all search heads where Carbon Black knowledge management is required.
Indexers Yes Conditional Not required if you use heavy forwarders to monitor Carbon Black data. Required if you use universal or light forwarders to collect data.
Heavy Forwarders Yes See comments This add-on supports forwarders of any type for data collection. If installed on heavy forwarders, does not need to be installed on indexers.
Universal Forwarders Yes See comments This add-on supports forwarders of any type for data collection. You must also install this add-on on your indexers if using universal forwarders.

Distributed deployment compatibility

This table provides a quick reference for the compatibility of this add-on with Splunk distributed deployment features.

Distributed deployment feature Supported Comments
Search Head Clusters Yes You can install this add-on on a search head cluster for all search-time functionality. Configure inputs only on a forwarder to avoid duplicate data collection.
Indexer Clusters Yes
Deployment Server Yes Supported for deploying the configured add-on.

Installation walkthrough

See About installing Splunk add-ons in Splunk Add-Ons for detailed instructions describing how to install a Splunk add-on in the following deployment scenarios:

Upgrade the Splunk Add-on for Carbon Black

The following upgrade steps provide a directory monitoring approach that ensures rolled-over JSON files are not missed if your Splunk platform deployment experiences downtime.

If your Splunk platform instance has been down, preventing the ingestion of files, switching from file monitoring to directory monitoring may cause a temporary spike in missed data ingestion.

Change File Monitoring to Directory Monitoring

  1. Download and install version 2.0.0 or higher of the Splunk Add-on for Carbon Black.
  2. Navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_bit9-carbonblack/local and open inputs.conf in a text editor.
  3. Update the monitoring path:
    • Change the existing path from <path_of_the_json_file> to <path_of_the_directory_containing_json_file>.
  4. Add a whitelist parameter:
    • Include whitelist = <regex_to_match_json_files>. Refer to the inputs.conf.template file in $SPLUNK_HOME/etc/apps/Splunk_TA_bit9-carbonblack/default/ for guidance.
  5. Replace <regex_to_match_json_files> with a regular expression to monitor the required JSON files. For example, .*\.json(\.[\d\-T:\.a-z]*)? matches the following files:
    • event_bridge_output.json.2019-05-13T11:41:28.167.restart
    • event_bridge_output.json.20190417
    • event_bridge_output.json
  6. Save your changes to the inputs.conf file.
  7. Restart your data collection node to apply the changes.

Configure your Carbon Black instance to generate and send events to Splunk

Configure your Carbon Black instance to send JSON formatted data to Splunk:

  1. Install the latest version of cb-event-forwarder, which is an open-source utility to send JSON formatted data to Splunk.
  2. Follow the steps at cb-event-forwarder GitHub repository.

Though Carbon Black supports data collection using file monitoring or HEC, avoid file monitoring for data collection if possible. File monitoring requires the user to point to the location of individual JSON files, which can lead to errors. Do not configure HEC and file monitoring together, as this leads to data duplication.

Configure HEC inputs for the Splunk Add-on for Carbon Black

Configure HEC to ingest Carbon Black data.

  1. Create a new HEC input from Splunk UI by following the steps in Set up and use HTTP Event Collector in Splunk Web.

  2. Add the Splunk stanza, if not already present, to the cb_event_forwarder file. Specify the HEC token for the hec_token stanza in cb-event-forwarder.conf. For version 2.1.0 onwards, the HEC raw endpoint is used to collect data. Add the http_output_format to separate events. The final stanza should look like this:

    [splunk]
http_post_template={{range .Events}}{{.EventText}}"||"{{end}}
client_key = /etc/cb/integrations/event-forwarder/client-key.pem
server_cname = your-splunk-server-name
tls_verify = false
insecure_tls = false
bundle_send_timeout = 60
upload_empty_files = false
bundle_size_max = 10485760
hec_token = <configured_hec_token>

  3. Replace the splunkout URL with the HEC raw endpoint. Optionally, if your HEC token has Indexer Acknowledgement enabled, add a unique channel ID against the splunkout argument in the bridge stanza:

    splunkout = https://<your-splunk-HEC-endpoint>:8088/services/collector/raw?channel=<unique_channel_id>

  4. Restart the event forwarder and check for events.

Configure monitor inputs for the Splunk Add-on for Carbon Black

Configure a data collection node in the Splunk platform to monitor the JSON file generated by the script provided by Carbon Black. See Hardware and software requirements for the Splunk Add-on for Carbon Black for information about this script. You can use either Splunk Web to create monitor tasks or configure inputs.conf directly.

Configure Monitoring through Splunk Web

If you have access to Splunk Web on your data collection node, follow the steps:

  1. Log into Splunk Web.
  2. Navigate to Settings, then select Data inputs, and select Files & directories.
  3. Select New.
  4. Select Browse next to the File or Directory field and navigate to the directory where the Carbon Black Event Forwarder utility has generated the JSON file.
  5. On the Whitelist page, add a regular expression so that Splunk Enterprise only monitors the required JSON files, then select Next. For example, .*\.json(\.[\d\-T:\.a-z]*)? will match the following types of files:
    • event_bridge_output.json.2019-05-13T11:41:28.167.restart
    • event_bridge_output.json.20190417
    • event_bridge_output.json.
  6. On the Sourcetype page, select Manual to enter a source type manually.
  7. Type the following in the Sourcetype field: bit9:carbonblack:json.
  8. Select Review.
  9. After reviewing the information, select Submit.

After you configure monitoring, verify that data is being ingested into the Splunk platform by using the following search command to check that events are returned:

sourcetype=bit9:carbonblack:json

Configure inputs.conf

The Splunk Add-on for Carbon Black includes a file named inputs.conf.template that you can use as a template to create an inputs.conf file on your data collection node.

  1. Copy the file named inputs.conf.template in the $SPLUNK_HOME/etc/apps/Splunk_TA_bit9-carbonblack/default folder to the $SPLUNK_HOME/etc/apps/Splunk_TA_bit9-carbonblack/local folder.

  2. Open the inputs.conf.template file in a text editor. The contents look like this:

    [monitor://<path_of_the_directory_containing_json_file>]
sourcetype = bit9:carbonblack:json
whitelist = <regex_to_match_json_files>

  3. Replace <path_of_the_directory_containing_json_file> with the actual path of the directory where the JSON file is generated.

  4. Replace <regex_to_match_json_files> with a regular expression to monitor the required JSON files. For example, .*\.json(\.[\d\-T:\.a-z]*)? will match the following types of files:
    • event_bridge_output.json.2019-05-13T11:41:28.167.restart
    • event_bridge_output.json.20190417
    • event_bridge_output.json.
  5. Rename the file to inputs.conf.
  6. Restart your data collection node for the changes to take effect.

Once you configure monitoring, verify that data is being ingested into the Splunk platform by using the following search command to check that events are returned:

sourcetype=bit9:carbonblack:json

Ended: Installation and configuration

Troubleshooting

Troubleshoot the Splunk Add-on for Carbon Black

There are no troubleshooting guidelines specific to the Splunk Add-on for Carbon Black.

General troubleshooting

For helpful troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons.

For additional resources, see Support and resource links for add-ons in Splunk Add-ons.

Ended: Troubleshooting

Reference

Source types for the Splunk Add-on for Carbon Black

The Splunk Add-on for Carbon Black collects notifications and event data from Carbon Black Response servers in JSON format and provides the following source type and event types.

Data source Sourcetype Event type CIM compliance
JSON file bit9:carbonblack:json bit9_carbonblack_alert Alerts, Intrusion Detection
bit9_carbonblack_change_analysis
bit9_carbonblack_application_state
bit9_carbonblack_network
carbonblack_endpoint_processes
carbonblack_endpoint_filesystem
carbonblack_endpoint_registry
edr_carbonblack_alert Alerts
edr_carbonblack_network Network Traffic
edr_carbonblack_endpoint_processes Endpoint
edr_carbonblack_endpoint_registry Endpoint
edr_carbonblack_endpoint_filesystem Endpoint

Lookups for the Splunk Add-on for Carbon Black

The Splunk Add-on for Carbon Black contains the following lookups.

Filename Description
bit9_cbs_actions.csv Maps vendor_action to action.

Ended: Reference