When investigating an alert, it can be helpful to pivot back to the Carbon Black Cloud console to view purpose-built NGAV and EDR content, such as the process tree. There are a variety of pages to visit, and those can vary team to team. These URLs can be formed based on the content of an Alert.
Required Product: Any
Required Data: Alerts (App Input or Data Forwarder)
Each URL requires your Carbon Black Cloud console domain (e.g. https://defense-prod05.conferdeploy.net). If you’re using the App Input for alerts, the query will get it from the Splunk host field. If you’re using the Data Forwarder input for alerts, the query will get the console URL from the available alert_url field.
eventtype="vmware_cbc_alerts" | rex field=alert_url "^(?<cbc_console>https:\/\/[^\/]+)\/.*" | eval cbc_console = case(isnotnull(cbc_console), cbc_console, like(host, "%confer%.net%"), "https://" + host, 1=1, "https://replaceme") | eval alert_page_url = cbc_console + "/alerts?selected[id]=" + id + "&s[highlight]=true&s[c][query_string]=alert_id%3A" + id + "&orgKey=" + org_key | eval alert_triage_url = if(type = "CB_ANALYTICS", cbc_console + "/triage?incidentId=" + id + "&orgKey=" + org_key, "N/A") | eval process_tree_url = if(type = "WATCHLIST", cbc_console + "/analyze?processGUID=" + process_guid + "&alertId=" + id + "&deviceId=" + device_id + "&orgKey=" + org_key, "N/A") | eval investigate_process_url = cbc_console + "/investigate/processes?query=alert_id%3A" + id + "&orgKey=" + org_key | eval investigate_events_url = cbc_console + "/investigate/events?query=alert_id%3A" + id + "&orgKey=" + org_key | eval endpoint_url = cbc_console + "/inventory/endpoints?s[query]=deviceId%3A" + device_id + "&orgKey=" + org_key | table *_url
