Posted on June 27, 2017
The Carbon Black Developer Network is proud to announce the first public release of our new Splunk Add-On for Cb Defense. This add-on is available for download now from Splunkbase and integrates Splunk with your Cb Defense console, forwarding alerts from Cb Defense right into your Splunk instance.
This add-on is now compatible with both Splunk on-premise and Splunk cloud.
This app requires Cb Defense and Splunk version 6.4 or above.
No additional hardware requirements are necessary for running this app above the standard requirements for both Carbon Black and Splunk.
Once the Cb Defense app for Splunk is installed, then you must configure it to connect to your Cb Defense server. This is done by generating a “SIEM” connector key in the Cb Defense console. For information on how to generate API keys, see the Cb Developer Network. Ensure that your new Connector key is of type “SIEM”.
Next, add “notification” rules to your Cb Defense server. Navigate to the “Settings -> Notifications” page and click the “Add Notification” button. Make sure to add the connector key name you set up above into the list of subscribed connectors in the text box at the bottom of the notification rule dialog box.
To configure the Cb Defense app for Splunk to connect to your Cb Defense server:
api-url.conferdeploy.net. Refer to: Cb Defense API Basics.ABCD and your connector ID is 1234, set the API key to ABCD/1234.The Cb Defense app for Splunk uses Splunk’s encrypted credential storage facility to store the API token for your Cb Defense server, so the API key is stored securely on the Splunk server.