You must create a Data Forwarder for the Carbon Black Cloud to stream data externally. The Data Forwarder routes data to an S3 bucket where it can then be taken as input by Splunk SIEM by using the AWS input add-on.
Requirements
- The AWS add-on for Splunk is installed for configuring inputs from an AWS source.
- For each data type, you must have:
- AWS S3 bucket
- AWS SQS queue
- Carbon Black Cloud Data Forwarder
- Before you begin, see Configure Built-in Inputs for Splunk SIEM.
Note:
- You cannot use the same Data Forwarder for multiple data types (alert, event, watchlist hit). Create a separate forwarder for each type of data that you want to forward.
- You can configure more than one Data Forwarder for each data type if you have complex filtering needs.
Create a Data Forwarder for Splunk SIEM
You can create the Data Forwarder through the Carbon Black Cloud console under Settings > Data Forwarders (see Data Forwarders), or by using the Carbon Black Cloud Data Forwarder API.
Tip: To reduce costs, configure your Data Forwarder with filters to limit the amount of data that is forwarded to Splunk.
Next Step: Configure AWS Add-On for Splunk SIEM
