Carbon Black Cloud: Does The Splunk Add-on Or App Ingest Console Audit Logs
searchcancel
Carbon Black Cloud: Does The Splunk Add-on Or App Ingest Console Audit Logs
book
Article ID: 288593
calendar_today
Updated On: 01-19-2021
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Does the Splunk add-on / app for Carbon Black Cloud (formerly PSC: Defense / Threat Hunter) support Audit log ingestion?
Environment
Carbon Black Cloud Console: All Versions
CB Defense Add-On for Splunk: Version 2.0.1
CB Defense App for Splunk: Version 1.1.4
Resolution
Not at this time in versions less than Add-On for Splunk: Version 2.0.1 or App for Splunk: Version 1.1.4.
Please up-vote this feature request found in Idea Central to help increase the priority for this feature: https://community.carbonblack.com/t5/Idea-Central/CBC-Update-Splunk-App-Add-on-To-Include-Console-Audit-Log/idi-p/88990#M9579
Additional Information
It is possible to insert the Audit log data into a siem by using the Carbon Black Cloud syslog connection found here. When setting up the connector do not specify a SIEM key (so that notifications are not being pulled) ONLY specify an API key. Then configure the connector to send syslog out to your Splunk indexer / Forwarder. Then configure a standard syslog input within your Splunk to accept this syslog data.