- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- How to configure carbon black defense app?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to configure carbon black defense app?
Went through this guide (https://splunkbase.splunk.com/app/3545/) , but we are still not getting any data from Carbon Black Defense (cloud). Any recommendations?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe I'm late but in case someone else need the information:
You need to make sure that you have the right CB api url. (e.g. api-prod05.conferdeploy.net). This documentation can help too to get the right url: https://community.carbonblack.com/docs/DOC-6057
Contact your sales rep from CB to get it if you are still unsure.
Also, you need to get an API key. When creating a SIEM connector in your CB settings, you will get a connector id and the api key. In the Splunk api setting you need to put: [API KEY]/CONNECTOR ID
Now, you need to create a notification alert in CB and make sure to select the newly created connector in the "search for connector" field.
Once it's done, be sure to create a new input in splunk cb defense app settings so it will auto poll CB and get you some data.
Feel free if you need more specific details or have more question related to this configuration.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey thanks for your instructions they really helped, couldn't find much information on how to set this up.
Do you know what the best way to see if CB data is coming into splunk? I did all of the above successfully but I dont see any data from the App/add-on.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You won't see any data until the next "notification" is triggered. You can't fetch old events. Generate a notification on a device that have CB Defense by calling the eicar virus test file and you should receive an alert soon enough.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah, I see. Thanks again for the quick response. Must be another issue as I get no results when searching 'cbdefense'.
I don't need to use the Carbon Black Event Forwarder utility to generate JSON files from Cb do I? Or is that just for the older add-on when Carbon black was still Bit9?
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
