Configure API Alerts Input for Splunk SIEM

To configure an API Alerts input for Splunk SIEM, perform the following procedure.

Prerequisites

In the Splunk SIEM console, in the Application Configuration menu, click the Alerts Input tab.
To create a new configuration, click the + in the top right corner of the page.
Enter a name for the configuration.
Set Minimum Severity to the desired level. The default value is 4.
Select the Alert type. The default value is All.
Select the API token that you configured in Set up Authentication and Authorization for Splunk SIEM.

Note: Make sure that the Splunk Access Level has the required permissions specified in API Data Inputs.
Select the proxy that you configured in Step 4 of Configure Built-in Inputs for Splunk SIEM. If you are not using a proxy, select None.
Set Lookback to 0 unless you need to retrieve data from previous days. The default value is 7 days.
Set the Index to the Base Index name from Carbon Black Cloud Base Configuration; for example, carbonblackcloud.
Set the Interval to the desired poll cycle. The default value is 300 seconds.
Note:
- If your organization generates a significant amount of alerts, consider using the Data Forwarder option (see Data Forwarder Alerts Input Configuration for Splunk SIEM).
- The query will use the same syntax as the Search bar on the Alerts page in the Carbon Black Cloud console.