Carbon Black Cloud Custom Commands for Splunk SIEM

The Carbon Black Cloud app includes the following custom commands (default/commands.conf).

cbcdvcinfo

This command enhances data with additional data pulled from the Carbon Black Cloud. This command queries the Carbon Black Cloud API one time per device_id. The arguments are as follows:


Argument	Description
`device_id`	The field name that contains the device ID for the command to enrich, as found in the Carbon Black Cloud interface.
`org_key`	The field name that contains the org key that is associated with the credential.
`fields`	A quoted and comma-separated list of fields to return from the query.

Example: fields="last_location,last_name" adds the columns last_location and last_name.

Best Practice: Limit your Splunk SIEM search to 100 devices to avoid potential API throttling.

Sample Usage: Get real-time device information including sensor version and last contact time for the top 10 most frequent devices in high severity alerts:

index="carbonblackcloud" sourcetype="vmware:cbc:s3:alerts" severity >= 8  | stats dc(id) as alert_count by device_id, org_key | sort -alert_count | head 10 | cbcdvcinfo | table org_key, device_id, name, alert_count, sensor_version, last_contact_time, os_version, sensor_states

bchashinfo

This command enhances data with additional data pulled from the Carbon Black Cloud. This command queries the Carbon Black Cloud API one time per hash. The arguments are as follows:


Argument	Description
`hash`	The field name that contains the SHA-256 hash for the command to enrich, as found in the Carbon Black Cloud interface.
`org_key`	The field name that contains the org key that is associated with the credential.
`fields`	A quoted and comma-separated list of fields to return from the query.

Example: fields="last_location,last_name" adds the columns last_location and last_name.

Best Practice: Limit your Splunk SIEM search to 100 hashes to avoid potential API throttling.

Sample Usage: Get the device count and first-seen timestamp for the top 10 most frequent hashes found in high severity alerts:

index="carbonblackcloud" sourcetype="vmware:cbc:s3:alerts" severity >= 8 | stats count(id) as alert_count by sha256_process_hash, org_key | sort -alert_count | head 10 | cbchashinfo hash=sha256_process_hash fields="first_seen_device_timestamp,num_devices"