Trying to get the CB ThreatHunter app working on my dev instance of Splunk ( 7.3.2 ) with no luck . Sadly the documentation isn't that great and to a certain extent confusing.
For a start anyone know if you need to install all 3 apps ( Technology addon , input addon and the app ) , it seems to me that 2 of these 3 apps have the same config page?
Also once installed and on the config page and trying to create a new config what do the Token and Connector ID relate to ? Is it API key and ID ? If thats the case surely somewhere you have to specify an org ID as the whole Carbon Black PSC service in the cloud .
And i guess a last question , what kind of data is this app suppose to pull down , kind find any mention on what data it gathers and if you can modify it ?
Hi there, that makes quite a bit more sense especially the part for the Notification API/Connector ID( think i was trying to use a different type of API ) . I will give the above a go on Monday and then update here
Ok so deleted the app and installed it again to start fresh ( running a single all in one instance of splunk). So does this config sound right ? ( for Carbon Black PSC )
Hostname : xxxxxx.conferdeploy.net
Token : API Secret Key ( Does it need specific access like API or SIEM ? )
Connector ID : API ID
Does the above seem about right?
Then i'm guessing a Notification has to be set up so specific data can be pulled by the app ?
That does seem correct, and yes, you setup a CB PSC notification, and those notifications will be sent to the API and then pulled from Splunk.