Skip to content
This repository has been archived by the owner on Mar 2, 2022. It is now read-only.

Releases: carbonblack/cb-defense-splunk-app

Cb Defense App for Splunk 1.1.5

19 Sep 17:44
@zacharyestep zacharyestep
1.1.5
f407a5f
Compare
Choose a tag to compare
Cb Defense App for Splunk 1.1.5 Latest
Latest

Exposes an alert-search custom search command.

Assets 3
Loading

Cb Defense Add-on For splunk 2.0.2

19 Sep 17:29
@zacharyestep zacharyestep
2.0.2
e52d7f5
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
Cb Defense Add-on For splunk 2.0.2

Thanks f8al :) updates to tranforms.conf and props.conf to correct incoming data form CBD.

Assets 3
Loading

Cb Defense Add-On for Splunk

09 Mar 22:17
@zacharyestep zacharyestep
2.0.1
bd879d6
Compare
Choose a tag to compare
Cb Defense Add-On for Splunk

Pulls Cb Defense Notification data into Splunk VIA REST.

Assets 3
Loading

Cb Defense App for Splunk

09 Mar 21:29
@zacharyestep zacharyestep
1.0.0
bd879d6
Compare
Choose a tag to compare
Cb Defense App for Splunk

Overview

Welcome to the Cb Defense App for Splunk.

The Cb Defense App for Splunk integrates Cb Defense with Splunk Enterprise! Please ensure that the Cb Defense Add-on for Splunk is installed before installing this app, as this app requires the Add-on to function.

The V1.0.0 Release includes pre-built visualizations from Cb's Internal Threat researchers:
Providing a thorough overview of Cb Defense environments as well as dashboards to search through threat and policy notifications, view and manipulate device status, etc.

Main Features

  • Cb Defense Overview Dashboard
    • Comprehensive Overview of your Cb Defense data in Splunk
    • view total detections, policy actions, rare applications
    • triage threats by severity
  • Threat Search
    • geoip map of threats based on severity
    • additional table of threat information
    • searchable (SPL) to isolate threat events of interest
  • Policy Action Search
    • geoip map of Policy Actions by reputation
    • tabular display of policy activities
    • searchable (SPL) to isolate policy events of interest
  • Login Map (Splunk)
    • geoip map and table of Logins (attempted and successful) to Splunk instances
  • Device Search
    • powered by the devicesearch custom search command
    • uses the Cb Defense REST API to retrieve device status information
    • geoip map of devices by external IPs + table of the same
    • enter a device query to filter results like ‘hostname:WIN-1984VBRULES’ or ‘ipAddress:172.17.178.1’

Adaptive Response framework and Splunk Enterprise Security integration.

Currently supported adaptive response actions:

  • Change Cb Defense Sensor Policy: Change the assigned security policy of one or more Cb Defense devices based on : IP address, hostname or deviceId in an event
  • Fully integrated with existing alert & notable event framework in Splunk Enterprise Security.
  • Host Name Matching as per
    • use 'hostnameexact' inptutype for exact matching and 'hostname' for in-exact

Assets 3
Loading