v1.1.1 Carbon Black Cloud Splunk App - Troubleshooting

V1.1.1 and earlier versions have been deprecated.

v2.0.0 was release in January 2024 with support for new APIs. The APIs used in v1.1.1 and earlier for Alerts and Live Response will be deactivated on July 31st 2024. Please upgrade to v2 of the Carbon Black Cloud Splunk App prior to 31st July 2024.

For information on upgrading your application, please see TO DO PUT LINK TO UPGRADE INSTRUCTIONS.

For information on APIs and Access Level types that are deprecated and will be deactivated in the second half of 2024, see the Migration Guides.

Frequently Asked Questions

  1. What features are included with the new Splunk app?
    • For the full list of features available in the current version of the app, view the details on SplunkBase.
    • Highlights of the features in this app:
      • Data Inputs
        • Support for high volume, low latency Alerts & Endpoint Events via the Data Forwarder
        • Support for Alerts, Audit Logs, Live Query Results, and Vulnerability Assessment data via a built-in input using the Carbon Black Cloud APIs
      • Supported on Splunk 8.0, 8.1, 8.2, Splunk Cloud, and Splunk ES 6.x
      • Proxy and Multi-tenancy
      • Enables alert actions & adaptive response to automate context gathering and remediation
        • For example, if Carbon Black Cloud detects LSASS memory scraping, automatically get the logged in users and move the device to a more restrictive policy

  1. Is there is a way to bring in the Carbon Black Cloud audit logs to Splunk?

  1. Do we have a document outlining how to install & configure the new version of Splunk for Carbon Black Cloud?

  1. Is it a requirement to use the data forwarder?
    • The Forwarder is the recommended approach for ingesting Alerts and Endpoint Events into Splunk due to its reliability, scale, and low latency. This approach is required to ingest Endpoint Event data.

      The alternative is to use the built-in inputs packaged with the VMware Carbon Black Cloud App or Input Add-on, which leverages the Carbon Black Cloud REST APIs. This approach supports ingesting the enriched events associated with CB Analytics Alerts through an Alert Action.

  1. Can the VMware Carbon Black Cloud Splunk App ingest only the Alerts and not the event data or the audit information?.
    • The app does not require all of the data however parts of the dashboards may not be available if it relies on data types that are not ingested.

  1. What is the URL that we should be using for API configuration?

    • When configuring the Carbon Black Cloud Environment URL for API Token Configuration, use the dashboard URL without the https:// Full detail on the URLs for each environment are available here.
    Note: Do not include a trailing slash, the value should only be the hostname e.g. defense.conferdeploy.net

  1. We are using an earlier Splunk TA which was last updated in 2015. Do you know if and when a new Splunk TA will be updated?
    • A new VMware Carbon Black Cloud app available on SplunkBase supports distributed environments and includes new Input and Technology add-ons.
      Customers who are on Splunk 8.0+ should move to the new app to take advantage of improved data ingest options and a larger range of adaptive response features. Customers on Splunk 7.0 should upgrade the version of Splunk to use the new Carbon Black Cloud app.

  1. Is there a limit to the number of alerts that are pulled from the API on each sync when using the built-in Input?
    • Yes, 10,000
      If your organization has more than 10,000 alerts each polling interval, you can:
      • Tune alerts to reduce overall alert volume
        • CB Analytics alerts that are known-good in your environment can be tuned from the Carbon Black Cloud console using the Dismiss all future alerts functionality
        • Follow recommendations from our Threat Research team here
      • Modify the configured Alert Input
        • Increase the minimum severity
        • Use the Query to filter out alerts you aren’t finding value in
        • Change the polling interval from the default of 300 seconds to 120 or 60 seconds.
      • Switch to ingesting Alerts via the Forwarder

  1. Is there a limit to the number of Audit Logs that are pulled on each sync?
    • Yes, 2500.

  1. What version of Splunk is supported for Carbon Black Cloud?
    • Splunk version 8.0 or higher. If you are using Splunk version 7.x, you will need to upgrade the version of Splunk to use the new Carbon Black Cloud app.

  1. Do we have any Splunk documentation to reference for customers that wish to ingest the Carbon Black Cloud Data Forwarder data into Splunk?

  1. Does the app use the Splunk CIM?
    • Yes, it uses the Event and Alert models from the Splunk CIM.

  1. Is the app certified by Splunk?
    • The app has been verified by AppInspect and is under assessment for Splunk Cloud.

  1. What is the difference between the Message Time and Timestamp field in Splunk?
    • Carbon Black Cloud alerts and events contain a variety of timestamps to provide insight into various stages of the data. For example, an alert will contain the timestamp of when the first event was detected as well as the most recent alert update.

      The App/TA will extract the most relevant timestamp field into the standard Splunk _time field.

      Descriptions of each timestamp can be found on the Developer Network documentation:

  1. I’m not seeing the data I expect to be ingested.
    • Check the Administration –> Application Health Overview tab in the VMware Carbon Black Cloud application for errors.

  1. If you received one of the followinge errors: Received error code 403, 401 Unauthorized, User is not authenticated or Check your API credentials
    • Check that the configuration of API Token Configurations specifically the API key Access Levels is correct in the Carbon Black Cloud console, and that the correct key is assigned for the Splunk data input or alert action. See Authentication & Authorization for more information.

  1. How can I get support for problems I’m having with the App?
    • The Carbon Black Cloud Splunk App is supported by Carbon Black; if you have a problem, open a support ticket like you would any other Carbon Black Cloud issue.


  1. If you are seeing the error message More than 1 VMware CBC App detected
    • Refer to the Deployment Guide for which Apps/Add-ons should be installed on which node and fully delete (not just disable) extra copies of VMware CBC apps/add-ons from nodes where they are not needed. Then restart Splunk on that node.

  1. Received network connection error from …

    Ensure the hostname configured with your API token on the Application Configuration -> API Token Configuration page does not include https:// or a trailing slash. For more details verifying your URL see the Authentication Guide

    Are you using a proxy?

    • The Proxy tab is configured in accordance with your proxy
    • The Input or Alert Action is configured to use that proxy
    • Restart Splunk

    If the issue persists, check your proxy logs to see if there are requests from the Splunk server.


  1. Command line or username not available in the Alert
  • See the Investigating CB Analytics Alerts query on Tech Zone.

Support

  • View all API and integration offerings on the Developer Network along with reference documentation, video tutorials, and how-to guides.
  • Use the CB Developer Network community forum to discuss issues and get answers from other API developers in the CB Developer Network
  • Report bugs and product issues to Broadcom Support

Last modified on February 9, 2023