The Carbon Black Cloud App for Splunk SIEM contains the following dashboards.

Carbon Black Cloud Alerts Overview

The Carbon Black Cloud Alerts Overview dashboard provides an overview of all alerts from the Carbon Black Cloud.

This dashboard requires an Alerts data source from either the Data Forwarder or built-in Alerts Input.

Carbon Black Cloud Endpoint Event Overview

The Carbon Black Cloud Endpoint Event Overview dashboard provides an overview of all endpoint events from the Carbon Black Cloud appliance.

This dashboard requires an Endpoint Events data source from the Data Forwarder.

Carbon Black Cloud Alert Details

The Carbon Black Cloud Alert Details dashboard contains detailed information about the alerts received from Carbon Black Cloud.

In the table on the dashboard, click an Alert ID to get more details. An Alert Action then gets the Observation from Carbon Black Cloud.

After an alert is selected:

  • The Link to Alert action opens the alert in the Carbon Black Cloud console for deeper investigation.
  • The Observations tab loads Carbon Black Cloud Observations that are related to the alert. Only certain alert types, such as CB Analytics, Host-based Firewall, and Intrusion Detection System have Observations.
    • Customize which fields appear in the table in the Observation fields in the upper-right corner of the page.
    • For a list of available fields, see Search Fields - Investigate. Filter the Type column to Observation Details.
    • Configure the Carbon Black Cloud Query custom command with the permissions specified in Commands.
    • Save the results to your primary index.
  • The Alert History tab loads a timeline view of the alert, including when it was created, determination changes, workflow updates, notes, and Carbon Black Managed Detection and Response comments.
    • Customize which fields appear in the table in the Alert History fields in the upper-right corner of the page.
    • Configure the Carbon Black Cloud Query custom command with the permissions specified in Commands.
    • Save the results to your primary index.

Carbon Black Cloud Devices Overview

The Carbon Black Cloud Devices Overview dashboard provides an overview of the processes based on the endpoint event data sent to the Carbon Black Cloud for your organization.

This dashboard requires an Endpoint Events data source from the Data Forwarder.

Carbon Black Cloud Processes Overview

The Carbon Black Cloud Processes Overview dashboard provides an overview of the active devices that are reporting event data to the Carbon Black Cloud.

This dashboard requires an Endpoint Events data source from the Data Forwarder.

Carbon Black Cloud Vulnerabilities Overview

The Carbon Black Cloud Vulnerabilities Overview dashboard provides an overview of vulnerability information from the Carbon Black Cloud.

This dashboard requires the built-in Vulnerabilities Input.

Application Health Overview

Use the Application Health Overview tab under the Administration menu to get health and status information about any alerts, events, or API errors in the Carbon Black Cloud. View total_failures, messages, and severity level for each instance.