CB ThreatHunter: How to Setup and Configure Splunk Enterprise to Receive Data
search cancel

CB ThreatHunter: How to Setup and Configure Splunk Enterprise to Receive Data

book

Article ID: 291074

calendar_today

Updated On:

Products

Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

How to setup and configure Splunk Enterprise to receive data from the CB ThreatHunter Console

Environment

  • CB ThreatHunter Web Console: All Versions
  • CB ThreatHunter for Splunk: Version 1.0.0

Resolution

  1. Create a new API Access in the CB ThreatHunter Console under the Settings>API Access Page
    • The Access Level Type needs to be SIEM
    • Write down the API ID and API Secret Key for use later
  2. Configure notification(s) to send events to Splunk: How to add new Notifications
  3. Log in to the Splunk Enterprise console
  4. Select the '+Find More Apps' from the left hand menu
  5. Search for 'CB ThreatHunter' and install the 'CB ThreatHunter App for Splunk'
    • The Technology and Input Add-Ons are only needed in the below circumstances:
      1. For Splunk Cloud, you may consider using an on-premise Heavy Forwarder with the Input Add-On installed on it
      2. For a Distributed Environment:
        • For each Search Head, deploy a configured copy of the App (NOT the Technology OR Input Add-Ons)
        • For each Indexer, deploy a copy of the Technology Add-On 
        • For a single “Data Collection Node” OR “Heavy Forwarder” (a full instance of Splunk is required), install the Input Add-On and configure through the GUI
  6. On the top menu bar, select the 'Apps' drop down, and navigate to the CB ThreatHunter for Splunk
  7. Continue to the app setup page (Or navigate to Adminstration > Application Configuration)
  8. Click 'Create New CB ThreatHunter Input' and configure the new modal window with this information:
    • Modular Input Name: A unique identifier
    • Hostname: API URL for your backend found here. No https:// is needed as Splunk automatically prepends the URL with this
    • Token: API Secret Key gathered in Step 1
    • Connector ID: API ID gathered in Step 1
    • Interval(s): Default is 120 seconds, which is the minimum value
    • Index: If left blank, the default index will be used, otherwise specify the desired index
    • Proxy Name: Select your given proxy, or None if not needed
  9. Click Save Changes (Verified by a "Cb ThreatHunter Input Configuration Added." message)
  10. Close the modal window
  11. On the Application Configuration page, click 'Save'
  12. Verify data is populating in the 'CB ThreatHunter Overview' and 'CB Policy Action Overview' tabs

Additional Information

  • Logs can be found in $SPLUNK_HOME/var/log/splunk/cb_psc_for_splunk/ta-cb_defense_cbdefense_XXXX.log, ta-cb_defense_cbdefense_XXXX.log.1, ta-cb_defense_cbdefense_XXXX.log.2, etc..
  • The About tab on the CB ThreatHunter App has the app's documentation with more information
  • If you have any issues getting the Splunk integration to work, please contact Support for assistance: How to open a Support Case
Powered by Wolken Software