To configure an Audit Logs input for Splunk SIEM, perform the following procedure.

Prerequisites

Configure Built-in Inputs for Splunk SIEM

Procedure

  1. In the Splunk SIEM console, in the Application Configuration menu, click the Audit Log Inputs tab.
  2. To create a new configuration, click the + in the top right corner of the page.
  3. Enter a name for the configuration.
  4. Select the API token that you configured in Set up Authentication and Authorization for Splunk SIEM.
    Note: Make sure that the Splunk Access Level has the required permissions specified for Audit Logs API in API Data Inputs.
  5. Select the proxy that you configured in Step 4 of Configure Built-in Inputs for Splunk SIEM. If you are not using a proxy, select None.
  6. Set the Index to the Base Index name from Carbon Black Cloud Base Configuration; for example, carbonblackcloud.
    Note: Do not include index=.
  7. Set the Interval to the desired poll cycle. The default value is 300 seconds.