The Splunk App for Carbon Black App Control includes the following dashboards.

  • Deployment Activity – Overview of information available from Carbon Black App Control installation.
  • Activity Details: File Activity – Information about file creation and modification activity on Carbon Black App Control-managed computers.
  • Activity Details: Blocks – Information about files blocked on Carbon Black App Control-managed computers.
  • Activity Details: Approvals – Information about files approved on Carbon Black App Control-managed computers.
  • Activity Details: New Unapproved Files – Information about new files that are discovered on Carbon Black App Control-managed computers and neither approved nor banned.
  • Activity Details: Events – Information about events recorded on the Carbon Black App Control Server.
  • File Investigation – Information suitable for a malware investigation focused on a specific file or files. If you link from the Carbon Black App Control Console, this dashboard provides information about the file from the details page from which you linked.
  • Computer Investigation – Information suitable for a malware investigation focused on a specific computer or computers. If you link from the Carbon Black App Control Console, this provides information about the computer from whose details page you linked.
  • Console Users – Information suitable for discovering anomalous or risky actions performed by a specific Carbon Black App Control Console user or users. If you link from the Carbon Black App Control Console, this dashboard provides information about the user from whose details page you linked.
  • All Console Users – Information about all App Control Console users.

Each of these dashboards contains panels that display information imported into Splunk from an Carbon Black App Control Server. Some also include a summary panel at the top. If you have used the Dashboard in the Carbon Black App Control Console, some of these panels will be familiar. However, here they can take advantage of the analysis and multi-source integration capabilities of Splunk. The Panels in Splunk App for Carbon Black App Control Dashboards table shows the panels available on the Splunk App for Carbon Black App Control dashboards, and identifies the dashboards on which they appear.

Panels in these dashboards may include tables of data or charts that graphically display the data, such as the display of Triggered Alerts in the following example. Some panels include both.

The triggered alerts pie chart in a dashboard

When you hover the mouse over a section of the chart, such as a pie chart slice or a bar in a bar chart, a legend appears describing the data represented that section.

The hover text over the justification alert pie chart slice

If you click on one of these sections, the underlying data is displayed.

The underlying data of a pie chart slice showing the events, statistics, and visualization tabs

These panels provide other standard Splunk features, such as the ability to change the time period for which data is displayed.

Table 1. Panels in Splunk App for Carbon Black App Control Dashboards

Dashboard

Panel

Description

Deployment Activity

Host Activity

File and event activity by agent computer.

Triggered Alerts

Number of triggered alerts by type.

File Blocks

Blocked files by date, computer, and product name.

New Unapproved Files

Events reporting new unapproved files appearing on agent computers by date.

New Files in Catalog

Unique new files added to the catalog by date.

Approvals

File approvals by date, computer, and product name.

File Activity

Creation and modification of files on Carbon Black App Control-managed systems by date, computer, and product or file name.

Top Event Subtypes

Event subtypes listed by frequency.

Activity Details: File Activity

File Creations

File creations by date, computer, product or file name, and process.

File Modifications

File modifications by date, computer, product or file name, and process.

Activity Details: Blocks

Blocks

File blocks by date, computer, and file name.

Block Distributions

File blocks by file trust level, process that attempted to execute the file, and product name.

Block Sources

File blocks by rule that blocked the action, reason (event subtype), and publisher.

Activity Details: Approvals

Approvals

File approvals by date, computer, and file name.

Approval Distribution

File approvals by file trust level, process that generated, modified or executed the file, and product name.

Approval Sources

File approvals by rule that approved the file, reason (event subtype), and publisher.

Activity Details: New Unapproved Files

 

New Unapproved Files

New unapproved files appearing on agent computers by date.

New Unapproved Files By Product Name

New unapproved files listed by publisher

Top New Unapproved File Hashes

New unapproved files listed by hash, ranked from most to least instances

Top New Unapproved File Names

New unapproved files listed by name, ranked from most to least instances.

Potentially Malicious Files

New unapproved files identified as potentially malicious by Carbon Black File Reputation.

Top Computers

Computers with new unapproved files, ranked from most to least instances.

Known Trust Values

New unapproved files listed by Carbon Black File Reputation trust values (if known).

Top Users

New unapproved files listed by users, ranked from most files to least files.

Activity Details: Events

Events

Events by date.

Top Event Subtypes

Events by event subtype, ranked from most to least instances.

Errors

Error messages.

Top Computers

Events by agent computer referenced in event, ranked from most to least instances.

Top Users

Events by users referenced in event, ranked from most to least instances.

Top Event Types

Event by event type, most to least. Event types include multiple subtypes.

File Investigation

 

 

 

Number of computers on which this file has been created

The prevalence of this file on Carbon Black App Control-managed computers reporting to this server.

File Hashes

For file searches by name, the hashes identified for files with this name.

File Information: First Seen on Network

The first seen name of this file on Carbon Black App Control-managed computers reporting to this server.

Hash Activity

A time-based bar chart describing creations and modifications of and by files with this hash.

Other Hashes with First Seen Name

Other hashes with the same first seen file name on Carbon Black App Control-managed computers reporting to this server.

Files Modified By This File

Files for which this file is the process, presented as a simple table of events in reverse-chronological order

Top Hashes Modified by This File

Files for which this file is the process, sorted by the number of times a particular file (identified by hash) was modified by the specified file/hash

Top Event Subtypes Containing This File

Event subtypes containing a reference to this file, ordered from subtypes containing the most instances of this file most to least.

Top Rules Containing This File

Rules referencing this file, including those identifying its file/hash as the process, the installer, or the file being acted upon. The rules appear in descending order by how often they reference the specified file.

Computer Investigation

Detection Events

Table of events related to Carbon Black App Control advanced threat indicators.

Risky Behavior

Table of events related to issues with tamper protection, or the detection of potentially risky or malicious files on an agent computer.

Risky Behavior Timeline

Amount of Risky Behavior graphed over time.

Blocks

Chart of blocked file actions on this computer by date.

New Files

Table of new files on the computer(s) specified in the search.

File Activity

Chart of file creations and modifications by date.

Approved Files

Table of files approved and the rule used for the approval.

Events Chart

Chart of the top 10 most frequent event subtypes involving the specified computer(s) over the search time period.

Health Checks

Table of Carbon Black App Control Health Check events and the results of the Health Check.

Console User Search

 

Events

Events that reference this user, charted by date.

User Activity

Events that reference this user, in a table with additional detail, listed in date order.

New or Removed Console Users

Console users that were created or deleted by this user.

Custom Rules Actions

Creation and modification of custom rules by this user.

File Approvals

File approvals by this user.

File Bans

File bans by this user.

Policy Management by Subtype

Policy management actions taken by this user, including policy modification and creation, and writing of agent installer files due to policy actions.

Global Approval by Trust

Global approvals by the user, by trust.

Globally Approved Hashes

Hashes globally approved by this user.

Local Approval by Trust

Local approval by this user, by trust.

Top Locally Approved Hashes

Files (by hash) locally approved by this user, most to least.

All Console Users

Events

Events by all console users, charted by date.

Policy Management

Policy management events by date and user.

Computer Management

Computer management events by date and user.

Session and General Management

Session and General management events by date and user.

Top Ten User - Global Approvals

Top ten users creating the most global file approvals.

Top Ten User - Local Approvals

Top ten users creating the most local file approvals.