Posted on January 29, 2019
The Carbon Black Developer Network is proud to announce the first public release of our new Splunk App for Enterprise EDR. The app has been published to Splunk’s application exchange, SplunkBase and is available for download now on Splunkbase under CB Response App for Splunk.
The Enterprise EDR App for Splunk allows a Splunk Administrator to connect to and pull Enterprise EDR notifications from the Carbon Black Cloud. This is the first phase and establishes the foundation of the integration to ensure notifications are properly pulled and ingested into Splunk. In a future release, additional enhancements such as dashboards and action oriented capabilities will be added with additional development work to further expand on the integration capabilities and uses cases.
Make sure the event type is configured properly for the App on the Application Configuration page. This will determine if the data is visible in the App.
NOTE: You will need to configure a new modular input for each tenant
NOTE: When configuring the modular input through the Application Configuration dashboard, the password is automatically encrypted into the credential store. If you need to change the credential, create a new credential, and reference the realm/connector id pair in the modular input configuration. An encrypted credential is required for this Splunk App.
By default all events will be written to the main index. You should change the index in the modular input setup to specify a custom location.
This App Supports proxy configuration. Configure the proxy first in the Application Configuration dashboard on the Proxy Tab, and then choose it during the modular input configuration.
Enterprise EDR For Splunk contains no lookup files.
Enterprise EDR For Splunk does make use of an event generator. This allows the product to display data, when there are no inputs configured. To enable them, visit the Application Configuration page, Eventgen Configuration tab.
Access questions and answers specific to Enterprise EDR For Splunk at https://answers.splunk.com . Be sure to tag your question with the App.