Splunk® Supported Add-ons

Splunk Add-on for Carbon Black

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Release notes for the Splunk Add-on for Carbon Black

Version 2.0.0 of the Splunk Add-on for Carbon Black was released on May 8, 2021 and is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 7.3.x, 8.0.x, 8.1.x
CIM 4.18.1
Platforms Platform independent
Vendor Products Carbon Black Response 4.2, Carbon Black Response 6.3.1, Carbon Black Response 7.4.0

New or changed features

  • Compatibility for Carbon Black Response Server 7.4.0
  • Compatibility for cb-event-forwarder 3.7.4
  • Compatibility for CIM 4.18.1
  • CIM field process & process_exec & process_name will have the same value if the events contains only process_path.
  • Extraction for CIM field registry_path has been fixed in the latest release 2.0.0.
  • Extraction for CIM field process_pid has been fixed in the latest release 2.0.0.
  • New CIM field mapping process_hash has been added in this release and a non CIM field parent_process_hash added to capture the md5 hash of the parent process.
  • Starting with version 2.0.0, the tagging has been modified and updated as per the following table:
Eventtype Data Model
edr_carbonblack_alert Alert
edr_carbonblack_network Network Traffic
edr_carbonblack_endpoint_processes Endpoint Processes
edr_carbonblack_endpoint_registry Endpoint Registry
edr_carbonblack_endpoint_filesystem Endpoint Filesystem

  • As of version 2.0.0, the values for product and vendor_product are as follows:
Field Value in version 1.1.0 Value in version 2.0.0
product CB Response EDR
vendor_product Carbon Black CB Response Carbon Black EDR

Fixed issues

Known issues

Third-party software attributions

Last modified on 21 July, 2021
Source types for the Splunk Add-on for Carbon Black
Release history for the Splunk Add-on for Carbon Black

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters