All Apps and Add-ons

anyone got the CB ThreatHunter app working?

ng87
Path Finder

Trying to get the CB ThreatHunter app working on my dev instance of Splunk ( 7.3.2 ) with no luck . Sadly the documentation isn't that great and to a certain extent confusing.
For a start anyone know if you need to install all 3 apps ( Technology addon , input addon and the app ) , it seems to me that 2 of these 3 apps have the same config page?
Also once installed and on the config page and trying to create a new config what do the Token and Connector ID relate to ? Is it API key and ID ? If thats the case surely somewhere you have to specify an org ID as the whole Carbon Black PSC service in the cloud .
And i guess a last question , what kind of data is this app suppose to pull down , kind find any mention on what data it gathers and if you can modify it ?

0 Karma
1 Solution

aplura_llc_supp
Path Finder
  1. Only install the TA on indexers, the IA on a HF for data collection, and the App on the Search tier.
  2. The token and connector ID are found in your administrative settings within the Carbon Black Cloud. Also known as Notification API Key and Connector ID
  3. The data is pulled is from the PSC Notifications API. For each notification you configure in CB PSC, you will receive those notifications within Splunk. How would you like to modify the data? in what way?

View solution in original post

aplura_llc_supp
Path Finder
  1. Only install the TA on indexers, the IA on a HF for data collection, and the App on the Search tier.
  2. The token and connector ID are found in your administrative settings within the Carbon Black Cloud. Also known as Notification API Key and Connector ID
  3. The data is pulled is from the PSC Notifications API. For each notification you configure in CB PSC, you will receive those notifications within Splunk. How would you like to modify the data? in what way?

View solution in original post

ng87
Path Finder

Hi there, that makes quite a bit more sense especially the part for the Notification API/Connector ID( think i was trying to use a different type of API ) . I will give the above a go on Monday and then update here

0 Karma

ng87
Path Finder

Ok so deleted the app and installed it again to start fresh ( running a single all in one instance of splunk). So does this config sound right ? ( for Carbon Black PSC )
Hostname : xxxxxx.conferdeploy.net
Token : API Secret Key ( Does it need specific access like API or SIEM ? )
Connector ID : API ID

Does the above seem about right?
Then i'm guessing a Notification has to be set up so specific data can be pulled by the app ?

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

That does seem correct, and yes, you setup a CB PSC notification, and those notifications will be sent to the API and then pulled from Splunk.

Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!