The Carbon Black Developer Network is proud to announce the second major public release of our Cb Defense Add-On for splunk.
This add-on is available for download now from Splunkbase and integrates
Splunk with your Cb Defense console, forwarding alerts from Cb Defense right into your Splunk instance.
This add-on is now compatible with both Splunk on-premise and Splunk cloud.
This Add-On requires Cb Defense and Splunk version 6.6 or above.
No additional hardware requirements are necessary for running this Add-On above the standard requirements for both
Carbon Black and Splunk.
The App can be downloaded from Splunkbase, and then manually installed on a Splunk instance - or installed directly from within the Splunk UI by logging into Splunkbase and searching for the CB Defense Add-On for Splunk.
Once the Cb Defense Add-On for Splunk is installed, then you must configure it to connect to your Cb Defense server.
This is done by generating a "SIEM" connector key in the Cb Defense console. For information on how to generate API keys,
see the Cb Developer Network.
Ensure that your new Connector key is of type "SIEM".
Next, add "notification" rules to your Cb Defense server. Navigate to the "Settings -> Notifications" page and
click the "Add Notification" button. Make sure to add the connector key name you set up above into the list of
subscribed connectors in the text box at the bottom of the notification rule dialog box.
If you are working from a Splunk instance with a UI you can use the web-UI to configure the Add-on quite simply.
See below for instructions on how to configure the Add-on from the CLI - for instance when deploying to a forwarder.
To configure the Cb Defense Add-on for Splunk to connect to your Cb Defense server:
The 2.X Add-on for Splunk supports as many rest-inputs as a user desires. If you would like to integrate with multiple Cb Defense Servers/Connectors simply define multiple inputs.
The Cb Defense Add-On for Splunk uses Splunk’s encrypted credential storage facility to store the API token for your Cb Defense server, so the API key is stored securely on the Splunk server.
The Cb Defense Add-on for Splunk can also be configured through the CLI:
1) Manually install the Add-on, restart Splunk
2) Create a $SPLUNK_HOME/etc/apps/TA-Cb_Defense/local/inputs.conf
like this:
```
[carbonblack_defense://<inputname>]
cb_defense_api_url = <ip or hostname of CB Defense>
interval = <Interval to poll the notifications API at >
siem_api_key = <API KEY>
siem_connector_id = <connector ID>
```
Once again, you can define multiple stanzas in the inputs.conf to integrate with multiple Cb Defense Servers/Connectors.
Updated to re-enable support for Splunk Cloud
Updates to props.conf and transforms.conf.
2.0.1: Updated to support multiple inputs from CbDefense.
When upgrading from the 1.0X versions of this Add-on please uninstall the Add-on first as per these instructions:
http://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/Managingappobjects#Uninstall_an_app_or_add-on
2.0.0: Updated to support multiple inputs from CbDefense.
Add proxy support
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.