Posted on January 29, 2019
The Carbon Black Developer Network is proud to announce the first public release of our new Splunk App for CB ThreatHunter. The app has been published to Splunk’s application exchange, SplunkBase and is available for download now from Splunkbase.
The CB ThreatHunter App for Splunk allows a Splunk Administrator to connect to and pull ThreatHunter notifications from the CB PSC. This is the first phase and establishes the foundation of the integration to ensure notifications are properly pulled and ingested into Splunk. In a future release, additional enhancements such as dashboards and action oriented capabilities will be added with additional development work to further expand on the integration capabilities and uses cases.
Make sure the event type is configured properly for the App on the Application Configuration page. This will determine if the data is visible in the App.
NOTE: You will need to configure a new modular input for each tenant
NOTE: When configuring the modular input through the Application Configuration dashboard, the password is automatically encrypted into the credential store. If you need to change the credential, create a new credential, and reference the realm/connector id pair in the modular input configuration. An encrypted credential is required for this Splunk App.
By default all events will be written to the main index. You should change the index in the modular input setup to specify a custom location.
This App Supports proxy configuration. Configure the proxy first in the Application Configuration dashboard on the Proxy Tab, and then choose it during the modular input configuration.
CB ThreatHunter For Splunk contains no lookup files.
CB ThreatHunter For Splunk does make use of an event generator. This allows the product to display data, when there are no inputs configured. To enable them, visit the Application Configuration page, Eventgen Configuration tab.
Access questions and answers specific to CB ThreatHunter For Splunk at https://answers.splunk.com . Be sure to tag your question with the App.