About the Splunk Add-on for Carbon Black
|Vendor Product(s)||Carbon Black Response 4.2+, Carbon Black Response 6.3.1|
The Splunk Add-on for Carbon Black allows a Splunk platform administrator to collect notifications and event data in JSON format from Carbon Black Response servers over a pub/sub bus. The add-on collects watchlist hit, feed hit, new binary instance, and binary file upload complete notifications, as well as raw endpoint events. This add-on provides the inputs and CIM-compatible knowledge to use with other Splunk apps, such as Splunk Enterprise Security and the Splunk App for PCI Compliance.
This add-on consumes Carbon Black event data from a JSON file. In order to get the Carbon Black event data into JSON format, you must download and run a utility from Carbon Black.
Starting in version 1.1.0, the Splunk Add-on for Bit9 Carbon Black has been renamed to the Splunk Add-on for Carbon Black.
Download the Splunk Add-on for Carbon Black from Splunkbase at http://splunkbase.splunk.com/app/2790.
Discuss the Splunk Add-on for Carbon Black on Splunk Answers at http://answers.splunk.com/answers/app/2790.
Source types for the Splunk Add-on for Carbon Black
This documentation applies to the following versions of Splunk® Supported Add-ons: released