June 05, 2023

Carbon Black Cloud Integration with Splunk SOAR

Carbon Black Cloud provides the means to secure endpoints, workloads, and containers, and also the means to rapidly detect and respond to attacks across these same compute platforms.

Carbon Black Cloud is often deployed in organisations which have a mature enough security operations stance that a SIEM/SOAR platform is also deployed. SIEM/SOAR is a foundational tool in the Security Operations Center, which together with EDR, XDR, and other detective security controls provides the means to rapidly detect and respond to threats.

Our strategy at Carbon Black is founded on recognizing and supporting the need for out of the box integration with third party security solutions. This strategy, which we term an “Open Ecosystem” approach, recognizes the not insignificant investments of time, effort, and financial commitment that customers have already sunk into the other security controls they trust to protect their environments and underpin their Security Operations Centers (SOC).

The Splunk SIEM, and the associated Splunk Phantom SOAR enjoy significant market share and are commonly used across Carbon Black’s own customer base. Customers use the Phantom SOAR platform as a centralized means to drive automation of common and repetitive tasks, as well as to orchestrate the operation of such tasks across multiple, different security controls.

It is common that these SOAR tasks (playbooks) take advantage of the rich telemetry and system security state information available from the Carbon Black Cloud pull information from the Carbon Black Cloud in order to improve the fidelity and speed of detections (of suspicious activity). Our joint customers also utilise the rich, bidirectional APIs available in Carbon Black such that SOAR playbooks can call upon our platform to automatically respond to attacks.      

Therefore we are proud to have announced the first release of a unified integration connecting the VMware Carbon Black Cloud platform with Splunk SOAR.

Through this application, customers can integrate Carbon Black Cloud actions and data into Splunk SOAR workflows using a single application. Additionally, customers can integrate their endpoint protection platform functionality either directly from the Carbon Black Cloud, or from Splunk SIEM (using the Splunk App for Splunk SOAR), and eliminate the need for outdated or custom-built integrations.

Customers taking advantage of the integration between Carbon Black Cloud and Splunk that are we delivering through the Splunk App for Splunk SOAR will see the following benefits:

  • The ability to orchestrate and automate Carbon Black Cloud actions;
  • Using Splunk SOAR playbooks, operationalize your Carbon Black Cloud data with speed and confidence;
  • Further reduce pivoting between consoles by integrating endpoint context and response actions directly into the Splunk SOAR console.

The Carbon Black Cloud integration with Splunk includes the following features:

  • Ingest CBC Alerts either directly via the REST API or via Splunk Enterprise via the Splunk app for Splunk SOAR;
  • Over 30 SOAR actions that can be used in custom playbooks tailored to the customer’s environment or use case, including Live Response actions that are executed on the endpoints;
  • Example playbooks that can be readily deployed.



For more information regarding the Carbon Black Cloud integration with Splunk SOAR please visit:

Filter Tags