This section provides instructions for configuring and using Carbon Black App Control External Analytics, which enables the Carbon Black App Control Server to export data it collects from endpoints to external analysis tools.

This integration can enhance your ability to analyze data and makes it possible for the external tool to analyze data from multiple sources, including other Carbon Black App Control Servers.

Note: Carbon Black App Control's External Analytics are integrated with Splunk, and the examples shown here are Splunk-specific. However, the general description of configuration of data export as described here should enable integration with other external analysis tools by users with expertise in the setup of those tools.

Carbon Black App Control provides Syslog event output that can be analyzed and displayed by multiple tools. Beginning with release v7.2, the Carbon Black App Control external analytics integration feature provides another way to utilize the extensive data collected by Carbon Black App Control. A Carbon Black App Control Server can be configured to send data to external data analytics tools, such as Splunk. Integrating Carbon Black App Control with an external analytics tool offers the following advantages:

  • Analyze Data from Multiple Sources – You can view Carbon Black App Control information in context with streams of information from other data security platforms or multiple Carbon Black App Control Servers. For this release, data imported to Splunk can be normalized to the CIM standard.
  • Add Carbon Black App Control File Data to Analysis – Unlike Syslog-based integrations, the external analytics integration is not limited to event log output. You can choose to export Carbon Black App Control event data, the file catalog, and/or file operations data to the external tool. The type and amount of data you send is configurable in the Carbon Black App Control Console.
  • Use New Reporting Capabilities – You can use the capabilities of an external tool to generate new types of reports from your Carbon Black App Control data.
  • Shift the Analysis Load – You can reduce the load on the Carbon Black App Control database server by moving data analysis to another tool and location.
  • Link the App Control Console to External Reporting Tools – Enabling an analytics integration can add links from certain Carbon Black App Control Console pages to the external analysis tool console.

Data exported for external analytics is in JSON format.

Note: Available File Catalog data is described in File, Publisher, and Application Information The events available from Carbon Black App Control are described in the separate VMware Carbon Black App Control Events Guide .