The Cb Response App for Splunk allows administrators to leverage the industry’s leading EDR solution to see, detect and take action upon endpoint activity from directly within Splunk. Once installed, the App will allow administrators to access many of the powerful features of Carbon Black, such as process and binary searches from within and in conjunction with Splunk.
When used along side Splunk’s Enterprise Security, the Cb Response App for Splunk also provides Adaptive Response Actions to take action automatically based on the result of Correlation Searches and on an ad-hoc basis on Notable Events surfaced within Splunk ES
- Overview: Provides a quick overview including the number of sensors reporting alerts and the top feed and watchlist hits across the enterprise.
- Binary Search: Search the Cb Response binary holdings via the binarysearch custom command.
- Process Search: Search the processes tracked by Cb Response via the processsearch custom command.
- Process Timeline: Produce a simple timeline of events given a Cb Response process GUID.
- Sensor Search: Search endpoints tracked by Cb Response via the sensorsearch custom command.
- Cb Response Endpoint Status: Display information about the total number of reported sensors, OS and Cb Response agent version distribution across all endpoints.
- Cb Response Network Overview: Show visualizations related to incoming and outgoing network connections recorded by Cb Response. Note that this view is only populated if netconn events are forwarded via the Cb Event Forwarder.
- Cb Response Binary Status: Display information about attempts to execute banned processes, and information on new executables and shared libraries discovered by Cb Response.
Custom Adaptive Response Actions:
- Kill Process: Kill a given process that is actively running on an endpoint running the Cb Response sensor.
- Ban MD5 Hash: Ban a given MD5 hash from executing on any host running the Cb Response sensor.
- Isolate Sensor: isolate a given endpoint from the network.