Download topic as PDF
Release history for the Splunk Add-on for Carbon Black
The latest version of the Splunk Add-on for Carbon Black is version 2.1.0. See "Release notes for the Splunk Add-on for Carbon Black" for the release notes of this latest version.
Version 2.0.0
Version 2.0.0 of the Splunk Add-on for Carbon Black was released on May 8, 2021 and is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 7.3.x, 8.0.x, 8.1.x |
| CIM | 4.18.1 |
| Platforms | Platform independent |
| Vendor Products | Carbon Black Response 4.2, Carbon Black Response 6.3.1, Carbon Black Response 7.4.0 |
New or changed features
- Compatibility for Carbon Black Response Server 7.4.0
- Compatibility for cb-event-forwarder 3.7.4
- Compatibility for CIM 4.18.1
- CIM field process & process_exec & process_name will have the same value if the events contains only process_path.
- Extraction for CIM field registry_path has been fixed in the latest release 2.0.0.
- Extraction for CIM field process_pid has been fixed in the latest release 2.0.0.
- New CIM field mapping process_hash has been added in this release and a non CIM field parent_process_hash added to capture the md5 hash of the parent process.
- Starting with version 2.0.0, the tagging has been modified and updated as per the following table:
| Eventtype | Data Model |
|---|---|
| bit9_carbonblack_alert | |
| bit9_carbonblack_change_analysis | |
| bit9_carbonblack_application_state | |
| bit9_carbonblack_network | |
| carbonblack_endpoint_processes | |
| carbonblack_endpoint_processes | |
| carbonblack_endpoint_filesystem | |
| carbonblack_endpoint_registry | |
| edr_carbonblack_alert | Alert |
| edr_carbonblack_network | Network Traffic |
| edr_carbonblack_endpoint_processes | Endpoint Processes |
| edr_carbonblack_endpoint_registry | Endpoint Registry |
| edr_carbonblack_endpoint_filesystem | Endpoint Filesystem |
- As of version 2.0.0, the values for product and vendor_product are as follows:
| Field | Value in version 1.1.0 | Value in version 2.0.0 |
|---|---|---|
| product | CB Response | EDR |
| vendor_product | Carbon Black CB Response | Carbon Black EDR |
Fixed issues
Version 2.0.0 of the Splunk Add-on for Carbon black fixes the following issues. If no issues appear below, no issues have yet been reported.
Known issues
Version 2.0.0 of the Splunk Add-on for Cisco ESA contains the following known issues.
If no issues appear below, no issues have yet been reported.
Third-party software attributions
Version 2.0.0 of the Splunk Add-on for Carbon Black does not incorporate any third-party software or libraries.
Version 1.1.0
Version 1.1.0 of the Splunk Add-on for Carbon Black is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 6.6.x, 7.0.x, 7.1.x, 7.2.x, 7.3.x |
| CIM | 4.13 |
| Platforms | Platform independent |
| Vendor Products | Carbon Black Response 4.2+, Carbon Black Response 6.3.1 |
New or changed features
- Improved load balancing on the universal forwarder
- Compatibility for Carbon Black Response Server 6.3.1
- Compatibility for cb-event-forwarder 3.5.0
- Compatibility for CIM 4.13
- Updated inputs.conf.template to monitor directory instead of file
- Starting in version 1.1.0, the values for vendor, product and vendor_product have been updated as below:-
| Field | Value in version 1.0.1 | Value in version 1.1.0 |
|---|---|---|
| vendor | Bit9 | Carbon Black |
| product | Carbon Black | CB Response |
| vendor_product | Bit9 Carbon Black | Carbon Black CB Response |
Fixed issues
Version 1.1.0 of the Splunk Add-on for Carbon Black fixes the following issues.
| Date resolved | Issue number | Description |
|---|---|---|
| 2019-05-20 | ADDON-21945 | Update/add regex to incorporate "ingress.event.childproc" as is_process |
| 2019-05-20 | ADDON-21989 | Change fieldalias to eval to avoid overriding of process_id when pid is blank |
Known issues
Version 1.1.0 of the Splunk Add-on for Carbon Black contains no known issues.
Third-party software attributions
Version 1.1.0 of the Splunk Add-on for Carbon Black does not incorporate any third-party software or libraries.
Version 1.0.1
Version 1.0.1 of the Splunk Add-on for Bit9 Carbon Black is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 6.6.x, 7.0.x, 7.1.x, 7.2.x |
| CIM | 4.11 |
| Platforms | Platform independent |
| Vendor Products | Carbon Black Server (CBS) 4.2 or later |
Fixed issues
Version 1.0.1 of the Splunk Add-on for Bit9 Carbon Black fixes the following issues.
| Date | Issue number | Description |
| 2015-10-13 | ADDON-4350 | Alert data should be mapped to IDS data model. |
| 2015-10-11 | ADDON-6008 | Failed field EVAL for 'dvc' and 'dest' |
Known issues
Version 1.0.1 of the Splunk Add-on for Bit9 Carbon Black contains no known issues.
Third-party software attributions
Version 1.0.1 of the Splunk Add-on for Splunk Add-on for Bit9 Carbon Black does not incorporate any third-party software or libraries.
Version 1.0.0
Version 1.0.0 of the Splunk Add-on for Bit9 Carbon Black has the same compatibility specifications as version 1.0.1.
New features
Version 1.0.0 of the Splunk Add-on for Bit9 Carbon Black has the following new features.
| Date | Issue number | Description |
| 2015-06-11 | ADDON-1096 | Create Add-on to support Bit9 Carbon Black as a data source. |
Known issues
Version 1.0.0 of the Splunk Add-on for Bit9 Carbon Black contains the following known issues.
| Filed Date | Issue number | Description |
| 2015-10-11 | ADDON-6008 | Failed field EVAL for 'dvc' and 'dest' |
| 2015-06-25 | ADDON-4350 | Alert data should be mapped to IDS data model. |
Third-party software attributions
Version 1.0.0 of the Splunk Add-on for Splunk Add-on for Bit9 Carbon Black does not incorporate any third-party software or libraries.
|
PREVIOUS Release notes for the Splunk Add-on for Carbon Black |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!