Hi @SatyaMGS
If you need some high level walkthroughs on how to use Splunk, including how to search, install apps etc then I would recommend checking out some of the videos at https://www.youtube.com/SplunkHowTo
In terms of setting up Carbon Black, here is what I found from other docs online that might help.
Step 1: Set Up the Carbon Black App for Splunk
- In your Splunk web interface, go to "Apps" → "Find More Apps"
- Search for "Carbon Black" or "VMware Carbon Black"
- Install the appropriate app for your Carbon Black version
- Restart Splunk after installation
Step 2: Configure Carbon Black API Credentials
- Log into your Carbon Black EDR console
- Navigate to the "Settings" → "API Access"
- Create a new API key with read permissions
- Note down the API key and API URL - you'll need these for Splunk
Step 3: Configure the Carbon Black App in Splunk
- In Splunk, navigate to the installed Carbon Black app
- Go to "Configuration" or "Setup" within the app
- Enter the following details:
- Carbon Black Server URL (e.g., https://your-cb-server.domain)
- API Token/Key you created earlier
- Select which data types you want to collect (events, alerts, etc.)
- Set collection intervals
Step 4: Set Up a Data Input for Carbon Black in Splunk
- Navigate to "Settings" → "Data inputs" in Splunk
- Select "Carbon Black" or the corresponding input type
- Configure a new input with:
- Name: Something descriptive like "CarbonBlack-EDR-Logs"
- Server URL: Your Carbon Black server address
- API credentials
- Log types to collect
- Collection interval (e.g., every 5 minutes)
Step 5: Verify Data Collection
- After configuration, wait for the collection interval to pass
- In Splunk, run a search like: sourcetype="carbonblack:*" or index=carbonblack
- If properly configured, you should see Carbon Black EDR logs appearing
Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards
Will
