- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- anyone got the CB ThreatHunter app working?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Trying to get the CB ThreatHunter app working on my dev instance of Splunk ( 7.3.2 ) with no luck . Sadly the documentation isn't that great and to a certain extent confusing.
For a start anyone know if you need to install all 3 apps ( Technology addon , input addon and the app ) , it seems to me that 2 of these 3 apps have the same config page?
Also once installed and on the config page and trying to create a new config what do the Token and Connector ID relate to ? Is it API key and ID ? If thats the case surely somewhere you have to specify an org ID as the whole Carbon Black PSC service in the cloud .
And i guess a last question , what kind of data is this app suppose to pull down , kind find any mention on what data it gathers and if you can modify it ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Only install the TA on indexers, the IA on a HF for data collection, and the App on the Search tier.
- The token and connector ID are found in your administrative settings within the Carbon Black Cloud. Also known as Notification API Key and Connector ID
- The data is pulled is from the PSC Notifications API. For each notification you configure in CB PSC, you will receive those notifications within Splunk. How would you like to modify the data? in what way?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Only install the TA on indexers, the IA on a HF for data collection, and the App on the Search tier.
- The token and connector ID are found in your administrative settings within the Carbon Black Cloud. Also known as Notification API Key and Connector ID
- The data is pulled is from the PSC Notifications API. For each notification you configure in CB PSC, you will receive those notifications within Splunk. How would you like to modify the data? in what way?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there, that makes quite a bit more sense especially the part for the Notification API/Connector ID( think i was trying to use a different type of API ) . I will give the above a go on Monday and then update here
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok so deleted the app and installed it again to start fresh ( running a single all in one instance of splunk). So does this config sound right ? ( for Carbon Black PSC )
Hostname : xxxxxx.conferdeploy.net
Token : API Secret Key ( Does it need specific access like API or SIEM ? )
Connector ID : API ID
Does the above seem about right?
Then i'm guessing a Notification has to be set up so specific data can be pulled by the app ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That does seem correct, and yes, you setup a CB PSC notification, and those notifications will be sent to the API and then pulled from Splunk.
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
