For built-in data inputs, alert actions, and commands, create an API Key with the correct permissions in the Carbon Black Cloud and then configure Splunk to use thoat key.

Prerequisites

See Setting up API Access.

Procedure

  1. Identify the built-in data inputs, alert actions, and commands that you will use.
  2. Identify the required RBAC permissions (see Splunk SIEM Access Levels and Permissions).
    Note: All inputs and actions use an Access Level of type custom, so only one API key is required. For multi-tenancy configurations, this is one API Key per org.
  3. If Identity is managed by using Carbon Black Cloud, generate API keys (see Setting up API Access).
    1. Create a Custom Access Level with the permissions required for the Inputs and Actions you want to use.
    2. Create one API key with Access Level set to Custom, and then select the Access Level you created in Step 3a.
    3. Make a note of your organization’s Org Key from the top of the API Keys table.
  4. If Identity is managed by using VMware Cloud Services Platform, create OAuth Apps. See Authenticating Your Applications with OAuth 2.0 in the VMware Carbon Black Cloud on VMware Cloud Services Platform User Guide.

    Use the App Id in the API Id field, and App Secret in the API Key field.

    1. Create a Custom Role with the permissions required for the Inputs and Actions that you will use.
    2. Create one OAuth App using the Custom Role you created in Step 4a.
    3. Go to Settings > General and make a note of your Org Key.
  5. In Splunk SEIM, open the Carbon Black Cloud App and go to the Administration > Application Configuration menu.
    1. Create a new API configuration by clicking the + in the top right corner of the API Token Configuration tab.
    2. Enter a meaningful API Name and Organization Name. You will use these values to configure built-in inputs and actions.
    3. Enter the field values you saved from Steps 3 or 4. These are:
      • API ID or OAuth App ID
      • API Secret Key or OAuth App Secret
      • Org Key
    4. Set the Carbon Black Cloud Environment to be the hostname of the Carbon Black Cloud console to which your organization is provisioned; for example, defense.conferdeploy.net.
    5. Repeat Steps 5b through 5d for each API key you created in Steps 3 or 4.