All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to configure carbon black defense app?

davidszeto29
New Member
‎01-26-2018 01:39 PM

Went through this guide (https://splunkbase.splunk.com/app/3545/) , but we are still not getting any data from Carbon Black Defense (cloud). Any recommendations?

0 Karma
Reply

jfbrouillette
New Member
‎03-01-2018 08:35 AM

Maybe I'm late but in case someone else need the information:

You need to make sure that you have the right CB api url. (e.g. api-prod05.conferdeploy.net). This documentation can help too to get the right url: https://community.carbonblack.com/docs/DOC-6057
Contact your sales rep from CB to get it if you are still unsure.

Also, you need to get an API key. When creating a SIEM connector in your CB settings, you will get a connector id and the api key. In the Splunk api setting you need to put: [API KEY]/CONNECTOR ID

Now, you need to create a notification alert in CB and make sure to select the newly created connector in the "search for connector" field.

Once it's done, be sure to create a new input in splunk cb defense app settings so it will auto poll CB and get you some data.

Feel free if you need more specific details or have more question related to this configuration.

0 Karma
Reply

Euphrates
Engager
‎04-18-2018 09:17 AM

Hey thanks for your instructions they really helped, couldn't find much information on how to set this up.

Do you know what the best way to see if CB data is coming into splunk? I did all of the above successfully but I dont see any data from the App/add-on.

0 Karma
Reply

jfbrouillette
New Member
‎04-18-2018 10:54 AM

You won't see any data until the next "notification" is triggered. You can't fetch old events. Generate a notification on a device that have CB Defense by calling the eicar virus test file and you should receive an alert soon enough.

0 Karma
Reply

Euphrates
Engager
‎04-18-2018 12:08 PM

Ah, I see. Thanks again for the quick response. Must be another issue as I get no results when searching 'cbdefense'.

I don't need to use the Carbon Black Event Forwarder utility to generate JSON files from Cb do I? Or is that just for the older add-on when Carbon black was still Bit9?

0 Karma
Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
Top