Enterprise EDR App for Splunk 1.0.0 Released

Posted on January 29, 2019

The Carbon Black Developer Network is proud to announce the first public release of our new Splunk App for Enterprise EDR. The app has been published to Splunk’s application exchange, SplunkBase and is available for download now on Splunkbase under CB Response App for Splunk.

The Enterprise EDR App for Splunk allows a Splunk Administrator to connect to and pull Enterprise EDR notifications from the Carbon Black Cloud. This is the first phase and establishes the foundation of the integration to ensure notifications are properly pulled and ingested into Splunk. In a future release, additional enhancements such as dashboards and action oriented capabilities will be added with additional development work to further expand on the integration capabilities and uses cases.

User Guide

Key Concepts for Enterprise EDR For Splunk

Make sure the event type is configured properly for the App on the Application Configuration page. This will determine if the data is visible in the App.

Modular Input

NOTE: You will need to configure a new modular input for each tenant

  • Navigate to the Application Configuration dashboard to configure the modular input.
  • Click the Create New Enterprise EDR Input.
  • Fill out the form.
    • Modular Input Name: Name for the data input configuration.
    • Hostname: The hostname of CarbonBlack tenant you have been assigned.
    • Token: The API key retrieved from the CarbonBlack interface.
    • Connector ID: The connector that is used with the API key to pull the notification data.
    • Interval: The number of seconds indicate how often the input will poll for new data. This setting must be at least 120.
    • Index: This sets the index for data to be written to. This setting should be changed from default, which normally writes to the main index, to a specified index for best performance.
    • Proxy Name: Enter the name of the proxy stanza to use with the input.

NOTE: When configuring the modular input through the Application Configuration dashboard, the password is automatically encrypted into the credential store. If you need to change the credential, create a new credential, and reference the realm/connector id pair in the modular input configuration. An encrypted credential is required for this Splunk App.

Indexes

By default all events will be written to the main index. You should change the index in the modular input setup to specify a custom location.

Configure Proxy Support

This App Supports proxy configuration. Configure the proxy first in the Application Configuration dashboard on the Proxy Tab, and then choose it during the modular input configuration.

Troubleshoot Enterprise EDR For Splunk
  • Check the Monitoring Console (>=v6.5) for errors
  • Visit the Application Health dashboard
  • Search for eventtype=cbthreathunter_api_errors
  • Collect logs and send to support: $SPLUNK_HOME/bin/splunk diag –collect app:cb_psc_for_splunk
Lookups

Enterprise EDR For Splunk contains no lookup files.

Event Generator

Enterprise EDR For Splunk does make use of an event generator. This allows the product to display data, when there are no inputs configured. To enable them, visit the Application Configuration page, Eventgen Configuration tab.

  • cb_threathunter_notification_policy.json.sample
  • cb_threathunter_notification_summary.json.sample
  • cb_threathunter_notification_threat.json.sample
  • cb_threathunter_new_threat_notification.json.sample
  • cb_threathunter_threat_info.json.sample

Questions and Answers

Access questions and answers specific to Enterprise EDR For Splunk at https://answers.splunk.com . Be sure to tag your question with the App.