This section describes Alert Actions for the Carbon Black Cloud App for Splunk SIEM.
You can configure the global Alert Actions configurations under the Alert Actions tab on the Administration > Application Configuration menu.
You need one API Token per Action per organization. All APIs use the Access Level Type (Credential Type) of Custom
. See Alert Actions and Adaptive Responses for details about the permissions required for each Alert Action.
If you use multi-tenancy, include the org_key
field together with the corresponding value in the Splunk SIEM search query.
By default, when a new alert is created in Splunk SIEM, the action.vmware-list-process.param.tenant = <api_config guid>
parameter is added to the savedsearches.conf file in the Carbon Black Cloud app’s local directory. If you change credentials for an Alert Action in the Application Configuration dashboard, you must also change all previously created alerts that were using the previous credential. After you update the credentials, delete the action.vmware-list-process.param.tenant = <api_config guid>
parameter from the savedsearches.conf file for the appropriate saved search, and then restart Splunk.
The Carbon Black Cloud app includes the Alert Actions described in the following topics.