The Splunk App for Carbon Black App Control includes the following dashboards.
- Deployment Activity – Overview of information available from Carbon Black App Control installation.
- Activity Details: File Activity – Information about file creation and modification activity on Carbon Black App Control-managed computers.
- Activity Details: Blocks – Information about files blocked on Carbon Black App Control-managed computers.
- Activity Details: Approvals – Information about files approved on Carbon Black App Control-managed computers.
- Activity Details: New Unapproved Files – Information about new files that are discovered on Carbon Black App Control-managed computers and neither approved nor banned.
- Activity Details: Events – Information about events recorded on the Carbon Black App Control Server.
- File Investigation – Information suitable for a malware investigation focused on a specific file or files. If you link from the Carbon Black App Control Console, this dashboard provides information about the file from the details page from which you linked.
- Computer Investigation – Information suitable for a malware investigation focused on a specific computer or computers. If you link from the Carbon Black App Control Console, this provides information about the computer from whose details page you linked.
- Console Users – Information suitable for discovering anomalous or risky actions performed by a specific Carbon Black App Control Console user or users. If you link from the Carbon Black App Control Console, this dashboard provides information about the user from whose details page you linked.
- All Console Users – Information about all App Control Console users.
Each of these dashboards contains panels that display information imported into Splunk from an Carbon Black App Control Server. Some also include a summary panel at the top. If you have used the Dashboard in the Carbon Black App Control Console, some of these panels will be familiar. However, here they can take advantage of the analysis and multi-source integration capabilities of Splunk. The Panels in Splunk App for Carbon Black App Control Dashboards table shows the panels available on the Splunk App for Carbon Black App Control dashboards, and identifies the dashboards on which they appear.
Panels in these dashboards may include tables of data or charts that graphically display the data, such as the display of Triggered Alerts in the following example. Some panels include both.
When you hover the mouse over a section of the chart, such as a pie chart slice or a bar in a bar chart, a legend appears describing the data represented that section.
If you click on one of these sections, the underlying data is displayed.
These panels provide other standard Splunk features, such as the ability to change the time period for which data is displayed.
| Dashboard |
Panel |
Description |
|---|---|---|
| Deployment Activity |
Host Activity |
File and event activity by agent computer. |
| Triggered Alerts |
Number of triggered alerts by type. |
|
| File Blocks |
Blocked files by date, computer, and product name. |
|
| New Unapproved Files |
Events reporting new unapproved files appearing on agent computers by date. |
|
| New Files in Catalog |
Unique new files added to the catalog by date. |
|
| Approvals |
File approvals by date, computer, and product name. |
|
| File Activity |
Creation and modification of files on Carbon Black App Control-managed systems by date, computer, and product or file name. |
|
| Top Event Subtypes |
Event subtypes listed by frequency. |
|
| Activity Details: File Activity |
File Creations |
File creations by date, computer, product or file name, and process. |
| File Modifications |
File modifications by date, computer, product or file name, and process. |
|
| Activity Details: Blocks |
Blocks |
File blocks by date, computer, and file name. |
| Block Distributions |
File blocks by file trust level, process that attempted to execute the file, and product name. |
|
| Block Sources |
File blocks by rule that blocked the action, reason (event subtype), and publisher. |
|
| Activity Details: Approvals |
Approvals |
File approvals by date, computer, and file name. |
| Approval Distribution |
File approvals by file trust level, process that generated, modified or executed the file, and product name. |
|
| Approval Sources |
File approvals by rule that approved the file, reason (event subtype), and publisher. |
|
| Activity Details: New Unapproved Files
|
New Unapproved Files |
New unapproved files appearing on agent computers by date. |
| New Unapproved Files By Product Name |
New unapproved files listed by publisher |
|
| Top New Unapproved File Hashes |
New unapproved files listed by hash, ranked from most to least instances |
|
| Top New Unapproved File Names |
New unapproved files listed by name, ranked from most to least instances. |
|
| Potentially Malicious Files |
New unapproved files identified as potentially malicious by Carbon Black File Reputation. |
|
| Top Computers |
Computers with new unapproved files, ranked from most to least instances. |
|
| Known Trust Values |
New unapproved files listed by Carbon Black File Reputation trust values (if known). |
|
| Top Users |
New unapproved files listed by users, ranked from most files to least files. |
|
| Activity Details: Events |
Events |
Events by date. |
| Top Event Subtypes |
Events by event subtype, ranked from most to least instances. |
|
| Errors |
Error messages. |
|
| Top Computers |
Events by agent computer referenced in event, ranked from most to least instances. |
|
| Top Users |
Events by users referenced in event, ranked from most to least instances. |
|
| Top Event Types |
Event by event type, most to least. Event types include multiple subtypes. |
|
| File Investigation
|
Number of computers on which this file has been created |
The prevalence of this file on Carbon Black App Control-managed computers reporting to this server. |
| File Hashes |
For file searches by name, the hashes identified for files with this name. |
|
| File Information: First Seen on Network |
The first seen name of this file on Carbon Black App Control-managed computers reporting to this server. |
|
| Hash Activity |
A time-based bar chart describing creations and modifications of and by files with this hash. |
|
| Other Hashes with First Seen Name |
Other hashes with the same first seen file name on Carbon Black App Control-managed computers reporting to this server. |
|
| Files Modified By This File |
Files for which this file is the process, presented as a simple table of events in reverse-chronological order |
|
| Top Hashes Modified by This File |
Files for which this file is the process, sorted by the number of times a particular file (identified by hash) was modified by the specified file/hash |
|
| Top Event Subtypes Containing This File |
Event subtypes containing a reference to this file, ordered from subtypes containing the most instances of this file most to least. |
|
| Top Rules Containing This File |
Rules referencing this file, including those identifying its file/hash as the process, the installer, or the file being acted upon. The rules appear in descending order by how often they reference the specified file. |
|
| Computer Investigation |
Detection Events |
Table of events related to Carbon Black App Control advanced threat indicators. |
| Risky Behavior |
Table of events related to issues with tamper protection, or the detection of potentially risky or malicious files on an agent computer. |
|
| Risky Behavior Timeline |
Amount of Risky Behavior graphed over time. |
|
| Blocks |
Chart of blocked file actions on this computer by date. |
|
| New Files |
Table of new files on the computer(s) specified in the search. |
|
| File Activity |
Chart of file creations and modifications by date. |
|
| Approved Files |
Table of files approved and the rule used for the approval. |
|
| Events Chart |
Chart of the top 10 most frequent event subtypes involving the specified computer(s) over the search time period. |
|
| Health Checks |
Table of Carbon Black App Control Health Check events and the results of the Health Check. |
|
| Console User Search
|
Events |
Events that reference this user, charted by date. |
| User Activity |
Events that reference this user, in a table with additional detail, listed in date order. |
|
| New or Removed Console Users |
Console users that were created or deleted by this user. |
|
| Custom Rules Actions |
Creation and modification of custom rules by this user. |
|
| File Approvals |
File approvals by this user. |
|
| File Bans |
File bans by this user. |
|
| Policy Management by Subtype |
Policy management actions taken by this user, including policy modification and creation, and writing of agent installer files due to policy actions. |
|
| Global Approval by Trust |
Global approvals by the user, by trust. |
|
| Globally Approved Hashes |
Hashes globally approved by this user. |
|
| Local Approval by Trust |
Local approval by this user, by trust. |
|
| Top Locally Approved Hashes |
Files (by hash) locally approved by this user, most to least. |
|
| All Console Users |
Events |
Events by all console users, charted by date. |
| Policy Management |
Policy management events by date and user. |
|
| Computer Management |
Computer management events by date and user. |
|
| Session and General Management |
Session and General management events by date and user. |
|
| Top Ten User - Global Approvals |
Top ten users creating the most global file approvals. |
|
| Top Ten User - Local Approvals |
Top ten users creating the most local file approvals. |
