***** Important Note ***** Carbon Black is currently in the process of developing their own set of TA's that support Carbon Black Cloud EDR and On-prem Enterprise EDR. Please be aware that this TA will be depreciated in favor of the vendor's officially supported TA. ******************************* The purpose of this add-on is to provide value to your Carbon Black EDR S3 buckets. This is done by making the logs CIM compliant, adding tagging for Enterprise Security data models, and other knowledge objects to make searching and visualizing this data easy. This add-on requires the AWS TA for data ingestion (https://splunkbase.splunk.com/app/1876/) to pull the S3 bucket. The add-on you are downloading now is only for knowledge objects! * Supported Data Types: ** endpoint.event.procstart (cb:edr:endpoint) *** Process launch event. ** endpoint.event.procend (cb:edr:endpoint) *** Process terminate event. ** endpoint.event.apicall (cb:edr:endpoint) *** Similiar to crossproc events that are generated by Behavioral EDR. ** endpoint.event.netconn (cb:edr:endpoint) *** Network connection event. ** endpoint.event.filemod (cb:edr:endpoint) *** File modification event. ** endpoint.event.regmod (cb:edr:endpoint) *** Registry modification event. ** endpoint.event.moduleload (cb:edr:endpoint) *** A “module load” is generated every time a process loads a shared library (DLL in Windows, .so in Linux, .dylib in macOS) into its process memory space. ** endpoint.event.crossproc (cb:edr:endpoint) *** Any time a process interacts with another process on the system, that is considered a “cross-process” event. ** CbAnalytics (cb:edr:analytics) *** CB Analytic alerts are created from the Endpoint Standard NGAV offering. ** Watchlist (cb:edr:watchlist) *** Watchlist alerts are created from alert enabled watchlists in Enterprise EDR * Built for Splunk Enterprise 6.x.x or higher * CIM Compliant (CIM 4.0.0 or higher) * Ready for Enterprise Security