Events & WebinarsCarbon Black Response
Michael Haag Jason Garman

5 ways integrating Carbon Black Response data in Splunk can improve your security


Splunk integration with Carbon Black Response

Splunk and Carbon Black Response (CbR) are two critically powerful tools in the modern security program. In this video, the author of the CbR+Splunk Integration, Michael Haag, walks through:

  • How to enable the integration and what data sets to consider
  • Three common scenarios you will encounter when using CbR data inside Splunk
  • Advanced techniques, including software inventorying, risk scoring, and response automation

00:12 Presenter Introduction

02:14 Webinar Agenda

02:40 Integration Setup: Two Parts

03:17  “The next step is to configure the pushing of data and the pulling of data into splunk.” -Jason

05:30 Integration Setup: Part 1

05:42  “There are two different ways that we can push that data from the event forwarder into Splunk.” -Jason

07:25 Integration Setup: Part 2

07:50 “Those custom commands pull the authentication tokens from the API that’s taken from the App Setup page.” -Jason

09:47 Use Cases and Advanced Techniques

11:00 Data Analysis

13:30  “Once you get it tuned properly, you can begin to alert.” -Mike

13:53 Powershell.exe

15:20 Net.exe

16:24 Osascript

17:19 Python

20:15 Write a New Detector

21:55  “That’s where you are going to start. You’re going to do that broad search to show you everything in your environment to see if it is even executing or if it has ever executed.” -Mike

22:22 What’s New

26:30  “It takes a village. It takes all of us to defend our networks. If we can all work together, we are going to be stronger for it.” -Jason

27:38 Cb Alerts

29:00  “The power of being able to search in Splunk is really the great combination of getting all of the very granular endpoint data from Carbon Black and getting it into a tool like Splunk to be able to do that search and visualization.” -Jason

29:35 Event Scoring

30:14  “We took watchlists, our feeds, and any indicators of compromise that were associated with endpoints.” -Mike

33:43 Workflow Action and Automation

37:29  “We set throttles up on our alerts specifically so that if an endpoint was compromised and it was malware and it kept executing a certain command or running powershell over and over.” -Mike

38:42 Software Inventory

42:30  “You’re thinking in concepts and groups of processes talking to other groups of processes or other hosts and so forth. I think it’s a great way to provide those building blocks to people to build those more complicated Splunk queries on top of it.” -Jason

43:05 Questions & Answers

43:45 Question 1: How long have you been working with Splunk?

44:00 “I remember Splunk 4 so I guess it has been quite awhile now that we are on Splunk 7.” -Mike

44:20 Question 2: Does the Carbon Black Response app replace the Bit9 app?

45:22  “You need both. The TA is used to parse out all the raw data from Cb Response and then the app is layered on top of it to do all of the other great stuff that we just looked at during the webinar.” -Jason

45:43 Question 3: If you have Cb Response in the Cloud and Splunk on premise and want events forwarded to your on premise Splunk server, what should a customer do?

45:56  “If you have Cb Response in the Cloud and Splunk on premise, you would use that second method for getting events pushed into your Splunk server.” -Jason

46:48 Question 4: We talked a lot about response, what about protection and defense?

47:20  “Protection has a Splunk app available for it as well so if you just search for Cb Protection.” -Jason

47:40  “The defense app is just a way to get Cb notifications and alerts into Splunk. We don’t have any dashboards for it yet.” -Jason

49:23 Question 5: Do you have a roadmap for dashboards in the Splunk app for overall situational awareness or management reporting?

49:30  “We’re always looking for new use cases. We don’t have anything specifically in our roadmap.” -Jason

Maximize your VMware Carbon Black investment with the right MDR partner
The Rise of Island Hopping and Counter Incident Response
Securing Distributed Healthcare Organizations
How to use Surveyor, a cybersecurity Swiss Army knife