Environment
- Carbon Black Cloud Console: All Versions
- CB Defense Add-On for Splunk: Version 2.0.1
- CB Defense App for Splunk: Version 1.1.4
Question
Does the Splunk add-on / app for Carbon Black Cloud (formerly PSC: Defense / Threat Hunter) support Audit log ingestion?
Answer
Additional Notes
It is possible to insert the Audit log data into a siem by using the Carbon Black Cloud syslog connection found
here. When setting up the connector do not specify a SIEM key (so that notifications are not being pulled) ONLY specify an API key. Then configure the connector to send syslog out to your Splunk indexer / Forwarder. Then configure a standard syslog input within your Splunk to accept this syslog data.
Related Content