Skip to main content

Carbon Black

  • Updated

Carbon Black is a source for endpoint protection that can be forwarded into Splunk for correlation with other security indicators and for alerting on detections of attacks. The Carbon Black event data is forwarded to Splunk by universal forwarders in JSON format. In the Common Information Model, Carbon Black can be mapped to any of the following data models, depending on the field: Alerts, Intrusion Detection, Change, Network Traffic, Endpoint. Any use cases that leverage these data models could work directly or with minor adjustments. 

Data visibility 

The Carbon Black data source provides fields and tags in the endpoint security domain focusing on intrusion detection, system changes used for malware detection, and investigation. It also monitors network traffic, does protocol analysis, and tracks and alerts on application behavior. 

Data application

When your Splunk deployment is ingesting Carbon Black, you can use the data to achieve the following objectives:

Configuration

The following sections provide information on configuring Splunk software to ingest this data source. To configure the device or software, we recommend that you leverage official Carbon Black resources.

Data ingestion

If your deployment is not already ingesting Carbon Black data, follow the Getting Data In guidance for Splunk Enterprise or the Onboarding and Forwarding Your Data guidance for Splunk Cloud.

The source type is bit9:carbonblack:json

The supported input type is monitor://<path_of_the_directory_containing_json_file>.

In addition, you will need the Splunk Add-on for Carbon Black. The add-on can be downloaded here and the add-on documentation can be accessed here. Read and follow the documentation carefully to understand all the essential information you need to work with this data source, including how to install the add-on, configure Carbon Black, and configure Splunk. 

Sizing estimate

The best way to calculate sizing is to measure it in your environment by sending it to Splunk in a lab. A estimated baseline could be 150 MB/day per Carbon black instance and 5 MB/ day from each endpoint. This is a rough estimate and can vary widely. It is best to measure with Splunk or to inspect the log sizes directly. 

Validation

Validation is done by searching the index and validating timestamp, sourcetype, and field extractions. 

A search similar to the following is a good starting point:

index=* earliest=-15m@ sourcetype=bit9:carbonblack:json 
|stats count by sourcetype source index 

Related articles

Comments

0 comments

Please sign in to leave a comment.

The information provided in Splunk Lantern is intended for informational and educational purposes only. All information is provided in good faith, however, Splunk disclaims any and all representations and warranties, express and implied, regarding the information provided, including without limitation any warranties and representations regarding the completeness, adequacy or accuracy of the information. You agree to take full responsibility for the results arising from the use of the information provided.