In Splunk SIEM, Carbon Black Cloud is configured from the Application Configuration menu option under the Administration menu.
VMware Base Configuration
The options configured on the VMware Base Configuration tab will update settings in local/eventtypes.conf.
| Setting | Description |
|---|---|
| Base Index | Specifies where the Carbon Black Cloud data is indexed and searched. This is required on the searching tier. |
| Action Index | Specifies where Outputs generated from alert actions are stored and searched. This is required on the searching tier. |
| Data model acceleration | Enables acceleration for the VMware_CBC data model for quicker pivot searches. |
| Use data model summaries only | Enables the dashboards to use summary information from he VMware_CBC data model accelerations for quicker load times. |
API Configurations
Use the API Configuration tab to configure access to Carbon Black Cloud. The application supports multiple API configurations to enable data from multiple Carbon Black Cloud organizations to be ingested.
To set up Carbon Black Cloud API Access keys, see Carbon Black Cloud API Access.
Alert Actions
Custom Commands
See Carbon Black Cloud Custom Commands for Splunk SIEM for configuration details and usage examples.
Modifying any configurations in /default causes your changes to be overwritten when the app is upgraded. If such modifications are required or directed to by Support, create the appropriate configuration files in /local and include the stanza attributes that are being changed.
Data Forwarder
You can optionally set up a Data Forwarder to get alerts, watchlist hits, and endpoint events from Carbon Black Cloud to Splunk SIEM by using AWS S3 and SQS.
See Data Forwarder Setup.
Data Model
Carbon Black Cloud includes a datamodel: VMWare_CBC. The VMWare_CBC data model is a clone of the Alert and Endpoint data models from the Splunk CIM. This data model is not accelerated by default; however, accelerating this data model will improve dashboard performance.
The data model acceleration setting can be changed in the Carbon Black Cloud app under Administration > Application Configuration. Check the setting Acceleration Enabled on the main tab. Make sure that the event types and macros for the app are configured prior to acceleration.
