To configure a Vulnerabilities input for Splunk SIEM, perform the following procedure.

Prerequisites

Configure Built-in Inputs for Splunk SIEM

Procedure

  1. In the Splunk SIEM console, in the Application Configuration menu, click the Vulnerabilities Input tab.
  2. To create a new configuration, click the + in the top right corner of the page.
  3. Enter a name for the configuration.
  4. Set Minimum Risk to the desired level. The default value is 7.
  5. Select the API token that you configured in Set up Authentication and Authorization for Splunk SIEM.
    Note: Make sure that the Splunk Access Level has the required permissions specified for Vulnerabilities in API Data Inputs.
  6. Select the proxy that you configured in Step 4 of Configure Built-in Inputs for Splunk SIEM. If you are not using a proxy, select None.
  7. Set the Index to the Base Index name from Carbon Black Cloud Base Configuration; for example, carbonblackcloud.
    Note: Do not include index=.
  8. Set the Interval to the desired poll cycle. The default value is 300 seconds.
  9. Optional: Add a query to refine the vulnerabilities that will be ingested.
    Note: The query will use the same syntax as the Vulnerabilities page in the Carbon Black Cloud console.