All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

anyone got the CB ThreatHunter app working?

ng87
Path Finder
‎11-18-2019 05:43 AM

Trying to get the CB ThreatHunter app working on my dev instance of Splunk ( 7.3.2 ) with no luck . Sadly the documentation isn't that great and to a certain extent confusing.
For a start anyone know if you need to install all 3 apps ( Technology addon , input addon and the app ) , it seems to me that 2 of these 3 apps have the same config page?
Also once installed and on the config page and trying to create a new config what do the Token and Connector ID relate to ? Is it API key and ID ? If thats the case surely somewhere you have to specify an org ID as the whole Carbon Black PSC service in the cloud .
And i guess a last question , what kind of data is this app suppose to pull down , kind find any mention on what data it gathers and if you can modify it ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aplura_llc_supp
Path Finder
‎11-18-2019 07:55 AM
  1. Only install the TA on indexers, the IA on a HF for data collection, and the App on the Search tier.
  2. The token and connector ID are found in your administrative settings within the Carbon Black Cloud. Also known as Notification API Key and Connector ID
  3. The data is pulled is from the PSC Notifications API. For each notification you configure in CB PSC, you will receive those notifications within Splunk. How would you like to modify the data? in what way?

View solution in original post

Reply
Solved! Jump to solution
Solution

aplura_llc_supp
Path Finder
‎11-18-2019 07:55 AM
  1. Only install the TA on indexers, the IA on a HF for data collection, and the App on the Search tier.
  2. The token and connector ID are found in your administrative settings within the Carbon Black Cloud. Also known as Notification API Key and Connector ID
  3. The data is pulled is from the PSC Notifications API. For each notification you configure in CB PSC, you will receive those notifications within Splunk. How would you like to modify the data? in what way?
Reply
Solved! Jump to solution

ng87
Path Finder
‎11-22-2019 06:16 AM

Hi there, that makes quite a bit more sense especially the part for the Notification API/Connector ID( think i was trying to use a different type of API ) . I will give the above a go on Monday and then update here

0 Karma
Reply
Solved! Jump to solution

ng87
Path Finder
‎11-25-2019 10:13 AM

Ok so deleted the app and installed it again to start fresh ( running a single all in one instance of splunk). So does this config sound right ? ( for Carbon Black PSC )
Hostname : xxxxxx.conferdeploy.net
Token : API Secret Key ( Does it need specific access like API or SIEM ? )
Connector ID : API ID

Does the above seem about right?
Then i'm guessing a Notification has to be set up so specific data can be pulled by the app ?

0 Karma
Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎12-02-2019 07:00 AM

That does seem correct, and yes, you setup a CB PSC notification, and those notifications will be sent to the API and then pulled from Splunk.

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...