Environment
- Carbon Black Cloud Console: All Versions
- Endpoint Standard Add-On for Splunk: Version 2.0.1
- Endpoint Standard App for Splunk: Version 1.1.4
- Splunk Enterprise: 7.x
Objective
How to setup and configure Splunk Enterprise to receive data from the Carbon Black Cloud Console
Resolution
Warning: This is only relevant to Splunk 7 customers, if you have Splunk 8 please see
https://community.carbonblack.com/t5/Knowledge-Base/Carbon-Black-Cloud-What-Splunk-Apps-Add-Ons-are-...
- Create two new API Keys in the CB Defense Console under the Settings>API Keys page
- (1) API Access Level and (1) SIEM Access Level are needed
- Write down the API ID and API Secret Key for both of the new API Keys
- Configure notification(s) to send events to Splunk: How to add new Notifications
- Only the API ID of the SIEM Access Level API Key needs to be subscribed to the Notifications.
- Log in to the Splunk Enterprise console
- Select the '+Find More Apps' from the left hand menu
- Search for 'CB Defense' and install both the 'CB Defense Add-On for Splunk' and the 'CB Defense App for Splunk'
- On the top menu bar, select the 'Apps' drop down, and navigate to the CB Defense Add-On for Splunk first
- On the Inputs page, click 'Create New Input' and configure the new modal window with this information:
- Name: Any name can be used here
- Interval: 60 (60 is a good default starting point, adjust as needed)
- Index: default is selected by default - this is dependent on the environment and where the data should be stored. The desired Index needs to be created prior to configuring this Add-On
- CB Defense API URL: Check here for what URL to use. No https:// is needed as Splunk automatically prepends the URL with this.
- SIEM Connector ID: The API ID from the SIEM Access Level API Key created in Step 1
- SIEM API Key: The API Secret Key from the SIEM Access Level API Key created in step 1
- Click 'Add' to finish the Add-On configuration
- On the top menu bar, select the 'Apps' drop down, and navigate to the CB Defense app
- Click 'Continue to app setup page' on the next screen
- Configure the App with this information:
- API URL: Same URL as used in the Add-On, again with no https://
- API Key: The API Secret Key from the API Access Level API Key created in step 1
- ConnectorId: The API ID from the API Access Level API Key created in Step 1
- Click 'Perform Setup'
- Verify both the CB Defense App and Add-On are now fully functional in Splunk
Additional Notes
- Logs can be found in $SPLUNK_HOME/var/log/splunk/ta-cb_defense_cbdefense_XXXX.log, ta-cb_defense_cbdefense_XXXX.log.1, ta-cb_defense_cbdefense_XXXX.log.2, etc..
- If you have any issues getting the Splunk integration to work, please contact Support for assistance: How to open a Support Case
Related Content