To configure a Vulnerabilities input for Splunk SIEM, perform the following procedure.
Procedure
- In the Splunk SIEM console, in the Application Configuration menu, click the Vulnerabilities Input tab.
- To create a new configuration, click the + in the top right corner of the page.
- Enter a name for the configuration.
- Set Minimum Risk to the desired level. The default value is
7
.
- Select the API token that you configured in Set up Authentication and Authorization for Splunk SIEM.
Note: Make sure that the Splunk Access Level has the required permissions specified for
Vulnerabilities in
API Data Inputs.
- Select the proxy that you configured in Step 4 of Configure Built-in Inputs for Splunk SIEM. If you are not using a proxy, select None.
- Set the Index to the Base Index name from Carbon Black Cloud Base Configuration; for example,
carbonblackcloud
.
Note: Do not include
index=
.
- Set the Interval to the desired poll cycle. The default value is
300 seconds
.
- Optional: Add a query to refine the vulnerabilities that will be ingested.
Note: The query will use the same syntax as the Vulnerabilities page in the
Carbon Black Cloud console.