Skip to main content
Splunk Lantern

Carbon Black


Carbon Black is a source for endpoint protection that can be forwarded into Splunk for correlation with other security indicators and for alerting on detections of attacks. The Carbon Black event data is forwarded to Splunk by universal forwarders in JSON format. Carbon Black provides fields and tags in the endpoint security domain focusing on intrusion detection, system changes used for malware detection, and investigation. It also monitors network traffic, does protocol analysis, and tracks and alerts on application behavior. In the Common Information Model, Carbon Black can be mapped to any of the following data models, depending on the field: AlertsIntrusion DetectionChangeNetwork TrafficEndpoint. Any use cases that leverage these data models could work directly or with minor adjustments.  

Before looking at documentation for specific data sources, review the Splunk Docs information on general data ingestion: