icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Cb Defense Add-On for Splunk
SHA256 checksum (cb-defense-add-on-for-splunk_202.tgz) 0566ccad2e6f8cb04396f1097c549190de92e6d7f985e874f27469d749826cbc SHA256 checksum (cb-defense-add-on-for-splunk_201.tgz) 02e665483dc8760b76f49f837a6654135731450fe3db90b64ab7b95dc5c75d72 SHA256 checksum (cb-defense-add-on-for-splunk_200.tgz) 4a9debc06948338662548d747e1fff3104a3b135f070be97108d0ae480e8e346 SHA256 checksum (cb-defense-add-on-for-splunk_102.tgz) 6e39469bd5922a6e94d2512d073cf391dfd13b00e1eb23bf62f35d3501a8e224 SHA256 checksum (cb-defense-add-on-for-splunk_100.tgz) f782e8ce0e226af497dbcb0195c3611cd8864c4ff55023252229ace0b775932f
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Cb Defense Add-On for Splunk

Splunk AppInspect Passed
Overview
Details
The Cb Defense Add-On for Splunk ingests notifications from Cb Defense into Splunk.

The Carbon Black Developer Network is proud to announce the second major public release of our Cb Defense Add-On for splunk.
This add-on is available for download now from Splunkbase and integrates
Splunk with your Cb Defense console, forwarding alerts from Cb Defense right into your Splunk instance.

This add-on is now compatible with both Splunk on-premise and Splunk cloud.

Requirements

This Add-On requires Cb Defense and Splunk version 6.6 or above.

No additional hardware requirements are necessary for running this Add-On above the standard requirements for both
Carbon Black and Splunk.

Getting Started

The App can be downloaded from Splunkbase, and then manually installed on a Splunk instance - or installed directly from within the Splunk UI by logging into Splunkbase and searching for the CB Defense Add-On for Splunk.

Once the Cb Defense Add-On for Splunk is installed, then you must configure it to connect to your Cb Defense server.
This is done by generating a "SIEM" connector key in the Cb Defense console. For information on how to generate API keys,
see the Cb Developer Network.
Ensure that your new Connector key is of type "SIEM".

Next, add "notification" rules to your Cb Defense server. Navigate to the "Settings -> Notifications" page and
click the "Add Notification" button. Make sure to add the connector key name you set up above into the list of
subscribed connectors in the text box at the bottom of the notification rule dialog box.

If you are working from a Splunk instance with a UI you can use the web-UI to configure the Add-on quite simply.
See below for instructions on how to configure the Add-on from the CLI - for instance when deploying to a forwarder.

To configure the Cb Defense Add-on for Splunk to connect to your Cb Defense server:

GUI Configuration

  1. Start the Cb Defense Add-on in Splunk
  2. Go to the "Inputs" tab - "Create new input" page and fill in the following fields:
    1. Enter the API hostname for your Cb Defense instance in the url field - for most customers this will be "api5.conferdeploy.net". If unsure, contact your support representative.
    2. Set apikey to your API key and the connector ID to your connector ID
    3. Set "name" to anything (for example "cbdefense")
    4. Set "interval" to 60 seconds (the polling interval of the Cb Defense notifications API)
    5. Set "index" to whatever Splunk index you'd like the Add-On to place Cb Defense events into

The 2.X Add-on for Splunk supports as many rest-inputs as a user desires. If you would like to integrate with multiple Cb Defense Servers/Connectors simply define multiple inputs.

The Cb Defense Add-On for Splunk uses Splunk’s encrypted credential storage facility to store the API token for your Cb Defense server, so the API key is stored securely on the Splunk server.

CLI Configuration

The Cb Defense Add-on for Splunk can also be configured through the CLI:

1) Manually install the Add-on, restart Splunk

2) Create a $SPLUNK_HOME/etc/apps/TA-Cb_Defense/local/inputs.conf like this:

```
[carbonblack_defense://<inputname>]
cb_defense_api_url = <ip or="" hostname="" of="" cb="" defense=""> 
interval = <interval to="" poll="" the="" notifications="" api="" at=""> 
siem_api_key = <api key=""> 
siem_connector_id = <connector id="">
```

Once again, you can define multiple stanzas in the inputs.conf to integrate with multiple Cb Defense Servers/Connectors.

Release Notes

Version 2.0.2
Sept. 19, 2018

Updates to props.conf and transforms.conf.

Version 2.0.1
March 6, 2018

2.0.1: Updated to support multiple inputs from CbDefense.

When upgrading from the 1.0X versions of this Add-on please uninstall the Add-on first as per these instructions:
http://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/Managingappobjects#Uninstall_an_app_or_add-on

Version 2.0.0
March 2, 2018

2.0.0: Updated to support multiple inputs from CbDefense.

Version 1.0.2
Oct. 10, 2017

Add proxy support

Version 1.0.0
April 12, 2017

308
Installs
1,561
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2019 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.