icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Cb Protection App for Splunk
SHA256 checksum (cb-protection-app-for-splunk_20.tgz) 6c20f79fb606aac0be0e705ce5a5a84b526692be74442a543c06ecc1e36095af SHA256 checksum (cb-protection-app-for-splunk_101.tgz) fc2ba45bd1a6e2f314198bfa30add963241cd0735377f74f958c2ef15f431f24 SHA256 checksum (cb-protection-app-for-splunk_10.tgz) 6f8c5c975112c2373ac14f2e236dd0b40bc90269f8b32bef4748e863cae93a44
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

splunk

Cb Protection App for Splunk

Splunk Cloud
This app is NOT supported by Splunk. Please read about what that means for you here.
Overview
Details
Cb Protection is the market’s leading application control solution. Cb Protection enables the establish automated software execution controls and protection policies that safeguard corporate and customer endpoint data.

Carbon Black and Splunk have partnered to deliver an advanced security reporting and analysis app for Cb Protection users. This app enables users to take advantage of the powerful visualization and analysis capabilities within Splunk to enhance operational management of Cb Protection and more quickly access intelligence during an investigation or audit.

Primary use-cases include:
• Deployment Activity at a glance – leading to better operational tuning based on new views and insights
• File and Computer Investigations - comprehensive and timely investigations in a simple dashboard
• Administrator Audit – full visibility into an important source of trusted change
• Ability to create custom and ad-hoc queries

Please note: This app was previously known as the Splunk App for Bit9.

INSTALLATION SUMMARY

To use the Cb Protection App for Splunk, you must configure the Cb Protection Server for data output, and make modifications on both the system hosting the Cb Protection Server and on the Splunk server. The summary of these steps is as follows:

A. Configure your Cb Protection server to export data.

B. Enable your Splunk server to collect Cb data.

C. Install the Cb Protection app on your Splunk server.

D. If you have additional indexers beyond your Splunk server, install the Cb Protection app on those indexers.

E. Install the Splunk Universal Forwarder on your Cb Protection server machine to send the logs to Splunk.

F. Install the Cb Protection app on your Splunk Universal Forwarder to inform it where the Cb Protection data export is located.

INSTALLATION STEPS

A. Cb Protection Server Configuration

  1. On the Cb Protection console menu, choose Administration > System Configuration and click on the External Analytics tab.
  2. Click on the Edit button at the bottom of the page.
  3. In the General panel, check the Enable Export box.
  4. In the Export Directory field, enter the name of the directory into which you want the Cb Protection data to be exported. This directory should be local to your Cb Protection server.
  5. Check the boxes next to the kind of data you wish to export in the Messages area: File Catalog, File Operations and Events.
  6. Click the Set Analytics URLs to Splunk defaults button to fill in the Analytics Server fields with the proper values for connecting your Cb Protection Console to Splunk. Replace server in the Root URL field with the address of your Splunk Web server.
  7. Click Update.

B. Configuring the Splunk Server for Cb Protection Access

You must complete several procedures on the Splunk Server to enable use of Cb Protection data. First, configure the Splunk server to receive forwarder data on port 9997.

  1. Log into the Splunk server as an administrator-level user.
  2. In the menu bar at the top of the Splunk console, choose Settings (Splunk 6) or Management (Splunk 5), then choose Data > Forwarding and receiving, and in the Forwarding and receiving window, choose Configure receiving.
  3. In the Receive data window, check to see whether port 9997 is configured. If not, click the New button, enter 9997 as the port to listen on, and click the Save button.
  4. In your firewall, create a rule to ensure that the Splunk server can receive data on port 9997.

C. Install the Cb Protection App on the Splunk Server

  1. Log into the Splunk server as an administrator-level user.
  2. Copy the file cb-protection-app-for-splunk_20.tar.gz to a convenient location on the server.
  3. In the menu bar at the top of the the Splunk console, choose Apps > Manage Apps.
  4. Install the app from its zip file: Click on Install app from file and in the Upload an app dialog, browse to the cb-protection-app-for-splunk_20.tar.gz file. and then click Upload.

D. Install the Cb Protection App on your additional Splunk indexers

  1. Copy the cb-protection-app-for-splunk_20.tar.gz file you downloaded to the \etc\apps subdirectory under the Splunk indexer installation directory. For example, if you are running a 64-bit OS on the Splunk indexer machine: C:\Program Files\Splunk\etc\apps\
  2. Unzip and untar the file.
  3. At a command prompt, restart the Splunk indexer:

cd \Program Files\Splunk\bin

.\splunk restart

E. Install the Splunk Universal Forwarder on the Cb Protection Server

  1. Download the Splunk Universal Forwarder from the Splunk website: http://www.splunk.com/download/universalforwarder
  2. Run the appropriate installer for your operating system on the Cb Protection Server
  3. Provide the address of your Splunk server (or indexer, if you have one) when prompted.

Important

During the Splunk Universal Forwarder installation process, do not enter the location of the data files on the Cb Protection Server when prompted. The location of these files will be provided by the Cb Protection App for Splunk.

F. Install the Cb Protection App on the Splunk Universal Forwarder

Once the Splunk Universal Forwarder is installed, install the Cb Protection under the Splunk Universal Forwarder installation directory:

  1. Copy the cb-protection-app-for-splunk_20.tar.gz file you downloaded to the \etc\apps subdirectory under the Splunk Universal Forwarder installation directory. For example, if you are running a 64-bit OS on the Cb Protection Server: C:\Program Files\SplunkUniversalForwarder\etc\apps\
  2. Unzip and untar the file.
  3. Go into the bit9-secapp directory and create a new directory named local.
  4. Copy default\inputs.conf into the local directory.
  5. Edit the first line of local\inputs.conf to point to the location of the Export Directory configured on the Cb Protection console System Configuration/External Analytics page, and save the file. For example, if the Export Directory on the Cb Protection Server is D:\Bit9\LogFiles, the first line of inputs.conf should be changed to the following:
    [monitor://D:\Bit9\LogFiles\*.bt9]
  6. At a command prompt, restart the Splunk Universal Forwarder:

cd \Program Files\SplunkUniversalForwarder\bin

.\splunk restart

When you have completed all of these steps, the Cb Protection-Splunk integration should be complete and data from Cb Protection should begin flowing to Splunk. Please click on the Contact link if you have questions.

Release Notes

Version 2.0
April 16, 2015
  • Our AppID has changed from "TA_bit9" to "bit9-secapp", so if you upgrade from the old one, you will notice that there are now two instances of our app (in the menus, on the main screen, and so forth). Go back to the Apps management screen and click “Disable” next the 1.0.1 version of the app. You should then go into the Bit9 console and under System Configuration > External Analytics, edit the Relative URL entries, changing "TA-bit9" to "bit9-secapp".

  • New feature: The "New Unapproved Files" pivot table lets you easily zero in on which processes and files are generating the most unapproved-file traffic, making it easier to define rules to reduce the amount of "noise" in your Cb Protection environment.

  • Requires Cb Protection (formerly Bit9) version 7.2 or higher.

  • Includes some bug fixes and performance improvements.

Version 1.0.1
Aug. 8, 2014

Requires Bit9 Security Platform version 7.2. Includes some bug fixes and performance improvements. If you have installed version 1.0 of this app before, this version requires overinstall on forwarders and indexers as well as search heads.

Version 1.0
May 26, 2014

Requires Bit9 Security Platform 7.2 or greater.

752
Installs
3,163
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.