Carbon Black Cloud: Does The Splunk Add-on Or App Ingest Console Audit Logs
search cancel

Carbon Black Cloud: Does The Splunk Add-on Or App Ingest Console Audit Logs

book

Article ID: 288593

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Does the Splunk add-on / app for Carbon Black Cloud (formerly PSC: Defense / Threat Hunter) support Audit log ingestion?

Environment

  • Carbon Black Cloud Console: All Versions
  • CB Defense Add-On for Splunk: Version 2.0.1
  • CB Defense App for Splunk: Version 1.1.4

Resolution

  • Not at this time in versions less than Add-On for Splunk: Version 2.0.1 or App for Splunk: Version 1.1.4.
  • Please up-vote this feature request found in Idea Central to help increase the priority for this feature:¬†https://community.carbonblack.com/t5/Idea-Central/CBC-Update-Splunk-App-Add-on-To-Include-Console-Audit-Log/idi-p/88990#M9579¬†

Additional Information

It is possible to insert the Audit log data into a siem by using the Carbon Black Cloud syslog connection found here. When setting up the connector do not specify a SIEM key (so that notifications are not being pulled) ONLY specify an API key. Then configure the connector to send syslog out to your Splunk indexer / Forwarder. Then configure a standard syslog input within your Splunk to accept this syslog data.