Skip to main content
Sumo Logic

Install the Carbon Black App and view the Dashboards

This page provides instructions for installing the Carbon Black App, and has examples of each of the App dashboards.

This page provides instructions for installing the Carbon Black App, and has examples of each of the App dashboards.The Carbon Black App dashboards are organized in the following categories, according to their function:

  • Carbon Black Response—is an incident response and threat hunting solution that continuously records and stores unfiltered endpoint data, allowing security professionals to track potential threats in real time.
  • Carbon Black Defense—is a next-generation antivirus (NGAV) and endpoint detection and response (EDR) solution.

Install the App

This section demonstrates how to install the Carbon Black Response and Carbon Black Defense App.

To install the app, do the following:

Locate and install the app you need from the App Catalog. If you want to see a preview of the dashboards included with the app before installing, click Preview Dashboards.

  1. From the App Catalog, search for and select the app. 
  2. To install the app, click Add to Library and complete the following fields.
    1. App Name. You can retain the existing name, or enter a name of your choice for the app.

    2. Data Source. Select either of these options for the data source.

      • Choose Source Category, and select a source category from the list.

      • Choose Enter a Custom Data Filter, and enter a custom source category beginning with an underscore. Example: (_sourceCategory=MyCategory).

    3. Advanced. Select the Location in Library (the default is the Personal folder in the library), or click New Folder to add a new folder.
    4. Click Add to Library.

Once an app is installed, it will appear in your Personal folder, or other folder that you specified. From here, you can share it with your organization. See Welcome to the New Library for information on working with the library in the new UI.

Panels will start to fill automatically. It's important to note that each panel slowly fills with data matching the time range query and received since the panel was created. Results won't immediately be available, but with a bit of time, you'll see full graphs and maps. 

Dashboard filters  

Each dashboard has a set of filters that you can apply to the entire dashboard, as shown in the following example. Click the funnel icon in the top dashboard menu bar to display a scrollable list of filters that are applied across the entire dashboard.

CB_Dashboard-filter.png

Each panel has a set of filters that are applied to the results for that panel only, as shown in the following example. Click the funnel icon in the top panel menu bar to display a list of panel-specific filters.

CB_Panel-filter.png

Carbon Black Response - Overview Dashboard

The Carbon Black Response - Overview dashboard provides a high-level view of the state of your network infrastructure and systems. The panels highlight detected threats, hosts, top feeds and IOC’s, top processes, top watchlists, and alert trends.

Use this dashboard to:

  • Monitor potential threats.
  • Determine the top processes and threat indicators.
  • Track alerts.
  • Monitor hosts, users, watchlists and feeds.

CB_Response-Overview.png 

Carbon Black Response - Alerts Dashboard

The Carbon Black Response - Alerts dashboard provides detailed information on the alerts in your environment, including alerts by mode, OS, report, and groups. The panels also show alert trends, recent alerts, and top users.

Use this dashboard to:

  • Monitor alert activity and identify spikes.
  • Monitor alerts triggered after a critical issue.
  • Track users who trigger a high number of alerts.

CB_Response-Alerts.png 

Carbon Black Response - Feeds Dashboard

The Carbon Black Response - Feeds dashboard provides detailed information on total feeds, feed trends, top and recent feeds, feed comparisons, and processes related to feeds.

Use this dashboard to:

  • Monitor feed activity and identify spikes.
  • Correlate processes and feeds.
  • Compare feeds over time.

CB_Response-Feeds.png 

Carbon Black Response - Indicators of Compromise Dashboard

The Carbon Black Response - Indicators of Compromise dashboard shows details on indicators of a compromised environment, as well as status for IOCs. The panels also provide an at-a-glance view of top malicious IPv4 addresses, top IOC DNSs, queries and query based feeds.

Use this dashboard to:

  • Determine the locations of attacks.
  • Track suspicious DNSs.
  • Determine which queries receive the most hits.

CB_Response-Indicators-of-Compromise.png 

Carbon Black Response - Network Dashboard

The Carbon Black Response - Network  dashboard provides networking details for top protocols, local and remote ports, and unique IP addresses.

Use this dashboard to:

  • Determine the geographic location of network connections.
  • Monitor  ports.
  • Review a list of CB servers.

CB_Response-Network.png 

Carbon Black Response - Processes Dashboard

The Carbon Black Response - Processes dashboard provides details on the processes that generate events.

Use this dashboard to:

  • Review processes used to modify registries and files.
  • Monitor command line processes, and top paths for processes that generate alerts.

CB_Response-Processes.png

Carbon Black Response - Sensors Dashboard

The Carbon Black Response - Sensors dashboard provides details of the sensors in your environment, such as sensor activity, trends and activity over time, and operating system.

Use this dashboard to:

  • Identify sensors that are not reporting over a specified time period.
  • Monitor sensor activity and rate spikes.

CB_Response-Sensors.png

Carbon Black Response - Threat Intelligence Dashboard

The Carbon Black Response - Threat Intelligence dashboard allows you to monitor threats on your network, categorized by feed, score, and severity. You can view recent threats, trends over time,  and hosts affected by threats.

Use this dashboard to:

  • Review threats over specified time periods.
  • Filter threats by severity to focus on high priority threats.
  • Identify hosts with the greatest number of threats.

CB_Response-Threat-Intelligence.png

Carbon Black Response - User and Host Alerts Dashboard

The Carbon Black Response - User and Host Alerts dashboard provides an at-a-glance view of user and host activity.

Use this dashboard to:

  • Monitor alert trends
  • Identify users responsible for the most alerts.
  • Monitor user activity
  • Review outbound and inbound alert activity.

CB_Response-User-and-Host-Alerts.png

Carbon Black Response - Watchlists Dashboard

The Carbon Black Response - Watchlists dashboard provides details on watchlists, including the number of watchlists, top watchlists, trends, and comparisons over time.

Use this dashboard to:

  • Identify the watchlists with the most hits in each category.
  • Monitor hits for individual watchlists and determine activity spikes.

CB_Response-Watchlists.png 

Carbon Black Defense - Overview Dashboard

The Carbon Black Defense - Overview dashboard provides a high-level view of the state of your network security, showing the number of detected threats, alerts, indicators of compromise, devices, users, and groups. The panels also highlight alert trends, top users, indicators, devices, applications, and reasons.

Use this dashboard to:

  • Quickly review your infrastructure security status.
  • Understand what areas of the infrastructure are experiencing issues.
  • Determine how the infrastructure is being utilized by taking a look at top users, applications and devices.

CB_Defense-Overview.png 

Carbon Black Defense - Indicators of Compromise Dashboard

The Carbon Black Defense - Indicators of Compromise dashboard provides an at-a-glance view of indicators of threats to a secure network by severity, application, and number of unique instances. A breakdown on each known indicator is also shown.

Use this dashboard to:

  • Review which indicators are affecting your system.  
  • Understand how severity and the applications relate to the indicators.

CB_Defense-Indicators-of-Compromise.png 

Carbon Black Defense - Threat Intelligence Dashboard

The Carbon Black Defense - Threat Intelligence dashboard provides details on the threats on your network, including the number of threats, their severity, and threat outliers. The panels also show details on the top devices affected by threats, recent threats, and a rating score of threats.

Use this dashboard to:

  • Review the threats identified in your infrastructure.
  • Investigate the threats by understanding the severity and scores of the threats.

CB_Defense-Threat-Intelligence.png

Carbon Black Defense - Alerts Dashboard

The Carbon Black Defense - Alerts dashboard provides detailed information on security related alerts in your environment, including number of alerts, severity, and trends over time. The panels also show information on alert policies, device operating systems (OS), and most recent alerts.

Use this dashboard to:

  • View an overall picture of all the alerts being generated.
  • Understand the classification of alerts based on different criteria, such as Severity, Policy, and Score.
  • Monitor spikes in alerts over time.

CB_Defense-Alerts.png 

Carbon Black Defense - Device Dashboard

The Carbon Black Defense - Device dashboard provides a high-level view of the devices on your network, including the number of devices, geographic locations, and operating systems. The panels also show information on device groups, incidents, alert severity, and target priority.

Use this dashboard to:

  • Monitor device classification by OS, Group and Target Priority.
  • Track the devices generating highest number of incidents.
  • Determine the most common location of the devices generating alerts to isolate threats.

CB_Defense-Device.png