All Apps and Add-ons

Cybereason for Splunk - no data coming through, no errors in logs


I've done a clean Splunk Enterprise 7.1 install on CentOS 7 and Splunk itself is working correctly.

Following the instructions for installing Cybereason for Splunk to my existing Cybereason instance using credentials that I'm working on, there is no data being pulled in, and I can find no errors anywhere. Health dashboard just has no data. I have install the Input Add on as well as per instructions.

Any ideas if there is anything wrong? I can see the server contacting the Cybereason instance every 300 seconds as configured, but can't tell what it's pulling in (nothing if I believe what's in the index).

Is there a special CR user I need to be connecting with (API user?) or should any user be fine?

Any help would be great.

0 Karma


@pkellyz , my issue was the account I was using had MFA enabled. Once I used a non-api account with MFA disabled, it worked fine. So @timm747747 was correct for my issue.,@pkellyz, the problem I had was the user had MFA enabled. I had another non-api user account with no MFA and all worked perfectly fine. I haven't done anything with it since though.


Thank you!

0 Karma


@chrispols Did you even figure out what was going on with your Cybereason app for Slunk? If so, where did you receive assistance? I'm getting a bit of a runaround from Cybereason support and I'm at my wits end.

Mine was setup and working but stopped working. I assumed the most likely cause was a changed password on the user account used in the modular input. I created a dedicated API user in the Cybereason dashboard to prevent this from happening in the future and updated the creds in the app.

However I am getting an error in the logs:

message="unknown Exception No JSON object could be decoded:

I assumed this means the data being returned by the API isn't valid. CR support is telling me it's an authentication issue! (????)

Anything you can provide or suggest is appreciated.

Path Finder

Any user should be fine as long as you don't have MFA setup for the user in CR. I have the IA setup on my HF, the App on my SH's and the TA on my indexers. I don't use the "api user".

0 Karma
Get Updates on the Splunk Community!

Security Highlights | November 2022 Newsletter

 November 2022 2022 Gartner Magic Quadrant for SIEM: Splunk Named a Leader for the 9th Year in a RowSplunk is ...

Platform Highlights | November 2022 Newsletter

 November 2022 Skill Up on Splunk with our New Builder Tech Talk SeriesCan you build it? Yes you can! *play ...

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...