Splunk integration with Carbon Black Response
Splunk and Carbon Black Response (CbR) are two critically powerful tools in the modern security program. In this video, the author of the CbR+Splunk Integration, Michael Haag, walks through:
- How to enable the integration and what data sets to consider
- Three common scenarios you will encounter when using CbR data inside Splunk
- Advanced techniques, including software inventorying, risk scoring, and response automation
00:12 Presenter Introduction
02:14 Webinar Agenda
02:40 Integration Setup: Two Parts
03:17 “The next step is to configure the pushing of data and the pulling of data into splunk.” -Jason
05:30 Integration Setup: Part 1
05:42 “There are two different ways that we can push that data from the event forwarder into Splunk.” -Jason
07:25 Integration Setup: Part 2
07:50 “Those custom commands pull the authentication tokens from the API that’s taken from the App Setup page.” -Jason
09:47 Use Cases and Advanced Techniques
11:00 Data Analysis
13:30 “Once you get it tuned properly, you can begin to alert.” -Mike
13:53 Powershell.exe
15:20 Net.exe
16:24 Osascript
17:19 Python
20:15 Write a New Detector
21:55 “That’s where you are going to start. You’re going to do that broad search to show you everything in your environment to see if it is even executing or if it has ever executed.” -Mike
22:22 What’s New
26:30 “It takes a village. It takes all of us to defend our networks. If we can all work together, we are going to be stronger for it.” -Jason
27:38 Cb Alerts
29:00 “The power of being able to search in Splunk is really the great combination of getting all of the very granular endpoint data from Carbon Black and getting it into a tool like Splunk to be able to do that search and visualization.” -Jason
29:35 Event Scoring
30:14 “We took watchlists, our feeds, and any indicators of compromise that were associated with endpoints.” -Mike
33:43 Workflow Action and Automation
37:29 “We set throttles up on our alerts specifically so that if an endpoint was compromised and it was malware and it kept executing a certain command or running powershell over and over.” -Mike
38:42 Software Inventory
42:30 “You’re thinking in concepts and groups of processes talking to other groups of processes or other hosts and so forth. I think it’s a great way to provide those building blocks to people to build those more complicated Splunk queries on top of it.” -Jason
43:05 Questions & Answers
43:45 Question 1: How long have you been working with Splunk?
44:00 “I remember Splunk 4 so I guess it has been quite awhile now that we are on Splunk 7.” -Mike
44:20 Question 2: Does the Carbon Black Response app replace the Bit9 app?
45:22 “You need both. The TA is used to parse out all the raw data from Cb Response and then the app is layered on top of it to do all of the other great stuff that we just looked at during the webinar.” -Jason
45:43 Question 3: If you have Cb Response in the Cloud and Splunk on premise and want events forwarded to your on premise Splunk server, what should a customer do?
45:56 “If you have Cb Response in the Cloud and Splunk on premise, you would use that second method for getting events pushed into your Splunk server.” -Jason
46:48 Question 4: We talked a lot about response, what about protection and defense?
47:20 “Protection has a Splunk app available for it as well so if you just search for Cb Protection.” -Jason
47:40 “The defense app is just a way to get Cb notifications and alerts into Splunk. We don’t have any dashboards for it yet.” -Jason
49:23 Question 5: Do you have a roadmap for dashboards in the Splunk app for overall situational awareness or management reporting?
49:30 “We’re always looking for new use cases. We don’t have anything specifically in our roadmap.” -Jason