CB ThreatHunter App for Splunk 1.0.0 Released

Posted on January 29, 2019

The Carbon Black Developer Network is proud to announce the first public release of our new Splunk App for CB ThreatHunter. The app has been published to Splunk’s application exchange, SplunkBase and is available for download now from Splunkbase.

The CB ThreatHunter App for Splunk allows a Splunk Administrator to connect to and pull ThreatHunter notifications from the Carbon Black Cloud. This is the first phase and establishes the foundation of the integration to ensure notifications are properly pulled and ingested into Splunk. In a future release, additional enhancements such as dashboards and action oriented capabilities will be added with additional development work to further expand on the integration capabilities and uses cases.

User Guide

Key Concepts for CB ThreatHunter For Splunk

Make sure the event type is configured properly for the App on the Application Configuration page. This will determine if the data is visible in the App.

Modular Input

NOTE: You will need to configure a new modular input for each tenant

  • Navigate to the Application Configuration dashboard to configure the modular input.
  • Click the Create New CB ThreatHunter Input.
  • Fill out the form.
    • Modular Input Name: Name for the data input configuration.
    • Hostname: The hostname of CarbonBlack tenant you have been assigned.
    • Token: The API key retrieved from the CarbonBlack interface.
    • Connector ID: The connector that is used with the API key to pull the notification data.
    • Interval: The number of seconds indicate how often the input will poll for new data. This setting must be at least 120.
    • Index: This sets the index for data to be written to. This setting should be changed from default, which normally writes to the main index, to a specified index for best performance.
    • Proxy Name: Enter the name of the proxy stanza to use with the input.

NOTE: When configuring the modular input through the Application Configuration dashboard, the password is automatically encrypted into the credential store. If you need to change the credential, create a new credential, and reference the realm/connector id pair in the modular input configuration. An encrypted credential is required for this Splunk App.


By default all events will be written to the main index. You should change the index in the modular input setup to specify a custom location.

Configure Proxy Support

This App Supports proxy configuration. Configure the proxy first in the Application Configuration dashboard on the Proxy Tab, and then choose it during the modular input configuration.

Troubleshoot CB ThreatHunter For Splunk
  • Check the Monitoring Console (>=v6.5) for errors
  • Visit the Application Health dashboard
  • Search for eventtype=cbthreathunter_api_errors
  • Collect logs and send to support: $SPLUNK_HOME/bin/splunk diag –collect app:cb_psc_for_splunk

CB ThreatHunter For Splunk contains no lookup files.

Event Generator

CB ThreatHunter For Splunk does make use of an event generator. This allows the product to display data, when there are no inputs configured. To enable them, visit the Application Configuration page, Eventgen Configuration tab.

  • cb_threathunter_notification_policy.json.sample
  • cb_threathunter_notification_summary.json.sample
  • cb_threathunter_notification_threat.json.sample
  • cb_threathunter_new_threat_notification.json.sample
  • cb_threathunter_threat_info.json.sample

Questions and Answers

Access questions and answers specific to CB ThreatHunter For Splunk at https://answers.splunk.com . Be sure to tag your question with the App.