The Carbon Black Cloud app for Splunk SIEM brings visibility from Carbon Black’s endpoint protection capabilities into Splunk for visualization, reporting, detection, and threat hunting use cases. With so much data, your SOC can find endless opportunities for value. But sometimes, it is helpful to have a few examples to get started.

All queries use Splunk eventtypes and sourcetypes that are defined in the Carbon Black Cloud app. Each use case lists additional requirements, including which Carbon Black Cloud products your organization must have enabled and which data sources, alert actions, and custom commands to configure in Splunk.

To determine which products your organization has enabled, in the Carbon Black Cloud console click your username in the upper-right corner of the page. Enabled products show the ENABLED tag.