EDR: EDR Plugin For Splunk Not Able To Isolate Sensor Via IP Address
book
Article ID: 287161
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
EDR plugin for Splunk unable to isolate sensor using IP address.
Environment
EDR Server: 6.2.4
Splunk: 2.14
Cause
This is a known issue being tracked in Engineering under ticket CB-27104.
Resolution
Sensor can be isolated using Sensor ID instead of IP address.
Splunk Phantom (https://www.splunk.com/en_us/software/phantom.html) can also be used as an alternative tool.
Additional Information
The Splunk App is no longer compatible with the current ESS or other connectors. There are no current plans to fix, improve or enhance it in any way at this time.
The supported list of connectors for Cb Response can be found here: https://community.carbonblack.com/t5/Endpoint-Detection-and-Response/Supported-Connectors-for-Endpoint-Detection-and-Response/m-p/88026