logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

CB ThreatHunter: How to Setup and Configure Splunk Enterprise to Receive Data

CB ThreatHunter: How to Setup and Configure Splunk Enterprise to Receive Data

Environment

  • CB ThreatHunter Web Console: All Versions
  • CB ThreatHunter for Splunk: Version 1.0.0

Objective

How to setup and configure Splunk Enterprise to receive data from the CB ThreatHunter Console

Resolution

  1. Create a new API Access in the CB ThreatHunter Console under the Settings>API Access Page
    • The Access Level Type needs to be SIEM
    • Write down the API ID and API Secret Key for use later
  2. Configure notification(s) to send events to Splunk: How to add new Notifications
  3. Log in to the Splunk Enterprise console
  4. Select the '+Find More Apps' from the left hand menu
  5. Search for 'CB ThreatHunter' and install the 'CB ThreatHunter App for Splunk'
    • The Technology and Input Add-Ons are only needed in the below circumstances:
      1. For Splunk Cloud, you may consider using an on-premise Heavy Forwarder with the Input Add-On installed on it
      2. For a Distributed Environment:
        • For each Search Head, deploy a configured copy of the App (NOT the Technology OR Input Add-Ons)
        • For each Indexer, deploy a copy of the Technology Add-On 
        • For a single “Data Collection Node” OR “Heavy Forwarder” (a full instance of Splunk is required), install the Input Add-On and configure through the GUI
  6. On the top menu bar, select the 'Apps' drop down, and navigate to the CB ThreatHunter for Splunk
  7. Continue to the app setup page (Or navigate to Adminstration > Application Configuration)
  8. Click 'Create New CB ThreatHunter Input' and configure the new modal window with this information:
    • Modular Input Name: A unique identifier
    • Hostname: API URL for your backend found here. No https:// is needed as Splunk automatically prepends the URL with this
    • Token: API Secret Key gathered in Step 1
    • Connector ID: API ID gathered in Step 1
    • Interval(s): Default is 120 seconds, which is the minimum value
    • Index: If left blank, the default index will be used, otherwise specify the desired index
    • Proxy Name: Select your given proxy, or None if not needed
  9. Click Save Changes (Verified by a "Cb ThreatHunter Input Configuration Added." message)
  10. Close the modal window
  11. On the Application Configuration page, click 'Save'
  12. Verify data is populating in the 'CB ThreatHunter Overview' and 'CB Policy Action Overview' tabs

Additional Notes

  • Logs can be found in $SPLUNK_HOME/var/log/splunk/cb_psc_for_splunk/ta-cb_defense_cbdefense_XXXX.log, ta-cb_defense_cbdefense_XXXX.log.1, ta-cb_defense_cbdefense_XXXX.log.2, etc..
  • The About tab on the CB ThreatHunter App has the app's documentation with more information
  • If you have any issues getting the Splunk integration to work, please contact Support for assistance: How to open a Support Case

Related Content


Was this article helpful? Yes No
100% helpful (2/2)
Article Information
Author:
CB_Support
Creation Date:
‎09-09-2020
Views:
1912
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.