Endpoint Standard Splunk Add-On 1.0.1 Released

Posted on June 27, 2017


The Carbon Black Developer Network is proud to announce the first public release of our new Splunk Add-On for Endpoint Standard (formerly CB Response). This add-on is available for download now from Splunkbase under CB Defense Add-On for Splunk and integrates Splunk with your Endpoint Standard console, forwarding alerts from Endpoint Standard right into your Splunk instance.

This add-on is now compatible with both Splunk on-premise and Splunk cloud.

Requirements

This app requires Endpoint Standard and Splunk version 6.4 or above.

No additional hardware requirements are necessary for running this app above the standard requirements for both Carbon Black and Splunk.

Getting Started

Once the Endpoint Standard app for Splunk is installed, then you must configure it to connect to your Endpoint Standard server. This is done by generating a “SIEM” connector key in the Endpoint Standard console. For information on how to generate API keys, see the Cb Developer Network. Ensure that your new Connector key is of type “SIEM”.

Next, add “notification” rules to your Endpoint Standard server. Navigate to the “Settings -> Notifications” page and click the “Add Notification” button. Make sure to add the connector key name you set up above into the list of subscribed connectors in the text box at the bottom of the notification rule dialog box.

To configure the Endpoint Standard app for Splunk to connect to your Endpoint Standard server:

  1. Start the Endpoint Standard App in Splunk
  2. Go to the “Configuration” tab - “Add-On Settings” page and fill in the following fields:
    1. Enter the API hostname for your Endpoint Standard instance in the URL field. Example: api-url.conferdeploy.net. Refer to: Endpoint Standard API Basics.
    2. Set apikey to your API key and connector ID this way: APIKey/ConnectorID. If your API key is ABCD and your connector ID is 1234, set the API key to ABCD/1234.
  3. Go to the “Inputs” tab and click “Create new input” with the following settings:
    1. Set “name” to anything (for example “cbdefense”)
    2. Set “interval” to 60 seconds (the polling interval of the Endpoint Standard notifications API)
    3. Set “index” to whatever Splunk index you’d like the app to place Endpoint Standard events into

The Endpoint Standard app for Splunk uses Splunk’s encrypted credential storage facility to store the API token for your Endpoint Standard server, so the API key is stored securely on the Splunk server.