The Splunk SIEM Release Notes describe new and changed actions for the Carbon Black Cloud app for Splunk SIEM.
Important: Before you upgrade from 1.x, see
Before you Upgrade from Splunk SIEM 1.x to 2.x.x.
Version 2.2.1
- Fixed an issue where the IA (Input AddOn) did not provide a required python file and resulted in an error.
- Fixed a limit on the number of API keys that were able to be accessed.
Version 2.2.0
New Features
- Inputs and API Configurations have Test Config buttons to help test permissions and configurations prior to implementation.
Improvements
- Live Query Input can ingest more than 10,000 events per run history found.
Fixes
- Fixed an issue where the IA (Input AddOn) did not provide a required python file and resulted in an error.
- Removed a hard-coded IP address from the Asset Details dashboard.
Version 2.1.0
New Features
- Asset Inventory Input, including USB Devices
- Asset Details Dashboard
Fixes
- Index drop downs will support more than 30 indexes.
Version 2.0.0
Breaking Changes
- Alerts input has been changed to Alert API v7 and Data Forwarder Alert Schema v2.0.0. Some fields in the earlier versions have been renamed or removed from the new versions.
- Live Response requires an API key with an Access Level of type
CUSTOM
. - Audit Log ingest should be updated after this upgrade to use an API key with an Access Level of type
CUSTOM
. It must be updated before October 31st 2024 when the Access Level typeAPI
is deactivated. - Deprecated the Alert Action
Enrich CB Analytics Event
. The actionVMwareCBC Enrich Alert Observations
has been added and can enrich more Alert types.
New Features
- Upgraded to use the Alerts v7 API & Data Forwarder Schema v2
- Customers using the built-in alert input will have access to significantly improved metadata and alert types. A complete list of new, renamed, and removed fields is available in Schema Changes.
- See the following blogs for more information about the benefits of the Alert v7 API and Data Forwarder Alert Schema v2.
- You might see a decrease in alert volume because Observed alerts have migrated to Observations. In the Carbon Black Cloud Splunk app 1.x, these alerts were denoted by
category = MONITORED
. - New action to enrich Carbon Black Cloud Alerts with Observations.
- All Alert types are ingested:
-
CB Analytics Container Runtime Device Control Host Based Firewall Intrusion Detection System Watchlist
Improvements
- Live Response action now uses a Custom API key. This enables improved security posture by granting API keys only the permissions required.
- Audit Log ingest now uses a Custom API key. This enables improved security posture by granting API keys only the permissions required.
Version 1.1.10
New Features
- New Modular Input for Authentication Events.
- New Alert Action to enrich Alerts with related Observations. See How to Take Advantage of the New Observations API.
Improvements
On the Configuration page, the Disabled label is changed to Active.
Fixes
- Fixed logic regression with Live Query Inputs.
- In multiple modular inputs, decimal notation IP address are converted to string notation.
- Improved mapping between Data Forwarder input and Dashboards.
Version 1.1.9
Fixes
- Updated Alert Actions for better consistency.
- Reviewed and updated for CIM 5.1.
Version 1.1.8
Fixes
Fixed Carbon Black Cloud configuration of Alert Actions not being displayed in Splunk Cloud.
Version 1.1.7
Fixes
- Updated vulnerability input to better perform paginating of large data sets. 10K is now the default limit per request.
- Update Alert Actions for better Enterprise Security integration.
- Fixed bug in main index configuration interface.
Version 1.1.6
Fixes
Updated Alert Action to allow Splunk index naming conventions.
Version 1.1.5
Fixes
- Updated client handler to process more than 2500 remediation results without a failure in code.
- Updated client handler to capture 410 errors on live query result histories, and save the checkpoint.
- Backoff timing when making API calls for the ProcessGUID action for calls that take a longer period to complete.
Version 1.1.4
Improvements
- Improved reliability of saving new and updated app configurations.
- Added source type for Watchlist Hits via the Data Forwarder: vmware:cbc:s3:watchlist:hits.
Version 1.1.3
Fixes
- Set trigger to reload custom config files.
- Removed unused settings.
- Removed links to a deprecated library.
Version 1.1.2
Improvements
Set SimpleXML Version Tag.
Fixes
- Check Splunk 8.1 and 8.2 compatability with jQuery 3.5.
- Add validation checks for trailing slash on Carbon Black Cloud URL.
- Prevent App showing Carbon Black Cloud and EDR alert Actions.
- Fix broken tabs in Splunk 8.2.
Version 1.1.1
Known Issues
Splunk App Alert Input returns 500 error (link requires sign in).
Improvements
- Updated Carbon Black Cloud SDK to v1.2.3 - Release Notes.
- Added a warning when more than one Carbon Black Cloud app is installed on a node. If you see this message, delete extra copies of Carbon Black Cloud apps/add-ons. See Splunk SIEM Troubleshooting.
- Added an app configuration demo video ((link requires sign in).
- Added a Splunk FAQ. See Splunk SIEM FAQs.
Fixes
- Fixed Proxy issue.
- Fixed error with Checkboxes on Proxy Configuration tab.
- Updated logging modules to respect log.cfg settings.
Version 1.1.0
New Features
- Data Input - Audit Logs
- Data Input - Live Query Results
- Data Input - Vulnerability Assessment
- Dashboard - Devices
- Dashboard - Processes
- Dashboard - Vulnerabilities
- Alert Action - Run Live Query
- Alert Action - Dismiss Alert
- Alert Action - Update Device Policy
- Alert Action - Process GUID Details
- Alert Action - Ban Hash
- Alert Action - Enrich CB Analytic Events
- Command - CBC Device Info
- Command - CBC Hash Info
- Events Dashboard performance improvements.
- Updated Top 10 CB Analytics panel.
- Stability improvements in Alerts Inputs.
Version 1.0.0
Initial release