Environment
- CB ThreatHunter Web Console: All Versions
- CB ThreatHunter for Splunk: Version 1.0.0
Objective
How to setup and configure Splunk Enterprise to receive data from the CB ThreatHunter Console
Resolution
- Create a new API Access in the CB ThreatHunter Console under the Settings>API Access Page
- The Access Level Type needs to be SIEM
- Write down the API ID and API Secret Key for use later
- Configure notification(s) to send events to Splunk: How to add new Notifications
- Log in to the Splunk Enterprise console
- Select the '+Find More Apps' from the left hand menu
- Search for 'CB ThreatHunter' and install the 'CB ThreatHunter App for Splunk'
- The Technology and Input Add-Ons are only needed in the below circumstances:
- For Splunk Cloud, you may consider using an on-premise Heavy Forwarder with the Input Add-On installed on it
- For a Distributed Environment:
- For each Search Head, deploy a configured copy of the App (NOT the Technology OR Input Add-Ons)
- For each Indexer, deploy a copy of the Technology Add-On
- For a single “Data Collection Node” OR “Heavy Forwarder” (a full instance of Splunk is required), install the Input Add-On and configure through the GUI
- On the top menu bar, select the 'Apps' drop down, and navigate to the CB ThreatHunter for Splunk
- Continue to the app setup page (Or navigate to Adminstration > Application Configuration)
- Click 'Create New CB ThreatHunter Input' and configure the new modal window with this information:
- Modular Input Name: A unique identifier
- Hostname: API URL for your backend found here. No https:// is needed as Splunk automatically prepends the URL with this
- Token: API Secret Key gathered in Step 1
- Connector ID: API ID gathered in Step 1
- Interval(s): Default is 120 seconds, which is the minimum value
- Index: If left blank, the default index will be used, otherwise specify the desired index
- Proxy Name: Select your given proxy, or None if not needed
- Click Save Changes (Verified by a "Cb ThreatHunter Input Configuration Added." message)
- Close the modal window
- On the Application Configuration page, click 'Save'
- Verify data is populating in the 'CB ThreatHunter Overview' and 'CB Policy Action Overview' tabs
Additional Notes
- Logs can be found in $SPLUNK_HOME/var/log/splunk/cb_psc_for_splunk/ta-cb_defense_cbdefense_XXXX.log, ta-cb_defense_cbdefense_XXXX.log.1, ta-cb_defense_cbdefense_XXXX.log.2, etc..
- The About tab on the CB ThreatHunter App has the app's documentation with more information
- If you have any issues getting the Splunk integration to work, please contact Support for assistance: How to open a Support Case
Related Content