Endpoint Standard Splunk Add-On 2.0.1 Released

Posted on March 20, 2018


The Carbon Black Developer Network is proud to announce the second major public release of our Endpoint Standard Add-On for splunk. This add-on is available for download now from Splunkbase under CB Defense Add-On for Splunk and integrates Splunk with your Endpoint Standard console, forwarding alerts from Endpoint Standard right into your Splunk instance.

This add-on is now compatible with both Splunk on-premise and Splunk cloud.

Requirements

This Add-On requires Endpoint Standard and Splunk version 6.6 or above.

No additional hardware requirements are necessary for running this Add-On above the standard requirements for both Carbon Black and Splunk.

Getting Started

The App can be downloaded from Splunkbase, and then manually installed on a Splunk instance - or installed directly from within the Splunk UI by logging into Splunkbase and searching for CB Defense Add-On for Splunk.

Once the Add-On is installed, then you must configure it to connect to your Endpoint Standard server. This is done by generating a “SIEM” connector key in the Endpoint Standard console. For information on how to generate API keys, see the Cb Developer Network. Ensure that your new Connector key is of type “SIEM”.

Next, add “notification” rules to your Endpoint Standard server. Navigate to the “Settings -> Notifications” page and click the “Add Notification” button. Make sure to add the connector key name you set up above into the list of subscribed connectors in the text box at the bottom of the notification rule dialog box.

If you are working from a Splunk instance with a UI you can use the web-UI to configure the Add-on quite simply. See below for instructions on how to configure the Add-on from the CLI - for instance when deploying to a forwarder.

To configure the Endpoint Standard Add-on for Splunk to connect to your Endpoint Standard server:

GUI Configuration

  1. Start the Endpoint Standard Add-on in Splunk
  2. Go to the “Inputs” tab - “Create new input” page and fill in the following fields:
    1. Enter the API hostname for your Endpoint Standard instance in the URL field. Example: api-url.conferdeploy.net. Refer to: Endpoint Standard API Basics.
    2. Set apikey to your API key and the connector ID to your connector ID
    3. Set “name” to anything (for example “cbdefense”)
    4. Set “interval” to 60 seconds (the polling interval of the Endpoint Standard notifications API)
    5. Set “index” to whatever Splunk index you’d like the Add-On to place Endpoint Standard events into

The 2.X Add-on for Splunk supports as many rest-inputs as a user desires. If you would like to integrate with multiple Endpoint Standard Servers/Connectors simply define multiple inputs.

The Endpoint Standard Add-On for Splunk uses Splunk’s encrypted credential storage facility to store the API token for your Endpoint Standard server, so the API key is stored securely on the Splunk server.

CLI Configuration

The Endpoint Standard Add-on for Splunk can also be configured through the CLI:

  1. Manually install the Add-on, by unarchiving the Add-on into $SPLUNK_HOME/etc/apps , restarting Splunk service.

  2. Create a $SPLUNK_HOME/etc/apps/TA-Cb_Defense/local/inputs.conf like this:

    [carbonblack_defense://<inputname>]
    cb_defense_api_url = <ip or hostname of Endpoint Standard>
    interval = <Interval to poll the notifications API at >
    siem_api_key = <API KEY>
    siem_connector_id = <connector ID>
    

Once again, you can define multiple stanzas in the inputs.conf to integrate with multiple Endpoint Standard Servers/Connectors.