Splunk

Driving Security Innovation Through Strategic Global Partnership

Splunk_fnl

Splunk Enterprise is the industry‐leading platform for machine data. Splunk Enterprise provides an easy, fast and secure way to analyze the massive streams of machine data generated by your IT systems and technology infrastructure—whether it’s physical, virtual or in the cloud. Use Splunk Enterprise to troubleshoot problems and investigate security incidents in minutes, not hours or days. Monitor your end‐to‐end infrastructure to avoid service degradation or outages. Gain operational intelligence with real‐time visibility and critical insights into customer experience, transactions and other key business metrics. Splunk Enterprise makes your machine data accessible, usable and valuable across the organization. For more information please visit www.splunk.com

  • Cb Response Add-on for Splunk

    The Splunk Add-on for Carbon Black allows a Splunk® Enterprise administrator to collect notifications and event data in JSON format from Cb Response servers over a pub/sub bus. The add-on collects watchlist hit, feed hit, new binary instance, and binary file upload complete notifications, as well as raw endpoint events. After Splunk Enterprise indexes the events, you can consume the data using the prebuilt dashboard panels included with the add-on. This add-on provides the inputs and CIM-compatible knowledge to use with other Splunk Enterprise apps, such as the Splunk App for Enterprise Security and the Splunk App for PCI Compliance.

  • Cb Response App for Splunk

    The Cb Response App for Splunk allows administrators to leverage the industry’s leading EDR solution to see, detect and take action upon endpoint activity from directly within Splunk. Once installed, the App will allow administrators to access many of the powerful features of Carbon Black, such as process and binary searches from within and in conjunction with Splunk.

    When used along side Splunk’s Enterprise Security, the Cb Response App for Splunk also provides Adaptive Response Actions to take action automatically based on the result of Correlation Searches and on an ad-hoc basis on Notable Events surfaced within Splunk ES

    Pre-Built Dashboards:

    • Overview: Provides a quick overview including the number of sensors reporting alerts and the top feed and watchlist hits across the enterprise.
    • Binary Search: Search the Cb Response binary holdings via the binarysearch custom command.
    • Process Search: Search the processes tracked by Cb Response via the processsearch custom command.
    • Process Timeline: Produce a simple timeline of events given a Cb Response process GUID.
    • Sensor Search: Search endpoints tracked by Cb Response via the sensorsearch custom command.
    • Cb Response Endpoint Status: Display information about the total number of reported sensors, OS and Cb Response agent version distribution across all endpoints.
    • Cb Response Network Overview: Show visualizations related to incoming and outgoing network connections recorded by Cb Response. Note that this view is only populated if netconn events are forwarded via the Cb Event Forwarder.
    • Cb Response Binary Status: Display information about attempts to execute banned processes, and information on new executables and shared libraries discovered by Cb Response.

    Custom Adaptive Response Actions:

    • Kill Process: Kill a given process that is actively running on an endpoint running the Cb Response sensor.
    • Ban MD5 Hash: Ban a given MD5 hash from executing on any host running the Cb Response sensor.
    • Isolate Sensor: isolate a given endpoint from the network.
  • Cb Defense Add-on for Splunk

    The Cb Defense Add-on for Splunk allows administrators to forward events and notifications from the industry’s leading NGAV solution into Splunk for correlation and analysis. Gain immediate insight into why Cb Defense took action on the endpoint with the expansive telemetry of an attack to accelerate the incident investigation.

    This add-on provides the inputs and CIM-compatible knowledge to use with other Splunk Enterprise apps, such as the Splunk App for Enterprise Security and the Splunk App for PCI Compliance.

  • Cb Protection App for Splunk

    Carbon Black created advanced security reporting and analysis app for Cb Protection users. The Cb Protection App for Splunk enables users to take advantage of the powerful visualization and analysis capabilities within Splunk to enhance operational management of Cb Protection and more quickly access intelligence during an investigation or audit.

    The “New Unapproved Files” pivot table lets you easily zero in on which processes and files are generating the most unapproved-file traffic, making it easier to define rules to reduce the amount of “noise” in your Cb Protection environment.

    Primary areas of focus for the Splunk App for Cb Protection include:

    • Deployment Activity at a glance – leading to better operational tuning based on new views and insights
    • File and Computer Investigations – comprehensive and timely investigations in a simple dashboard
    • Administrator Audit – full visibility into an important source of trusted change
    • Ability to create custom and ad-hoc queries

Related Resources

three