The Carbon Black Cloud App offers two methods to ingest data. Each method supports a subset of the Carbon Black Cloud data.

Built-in Input
Use the Carbon Black Cloud App (or Input Add-on via a Heavy Forwarder), which leverages Carbon Black Cloud REST APIs to pull data into Splunk SIEM.
Supported data
  • Alerts
  • Audit logs
  • Auth Events
  • Live Query results
  • Vulnerabilities
  • Asset Inventory Input; includes USB Devices
Data Forwarder
Streams data into an AWS S3 bucket at scale
Uses the AWS add-on for Splunk to pull the data from AWS S3 into Splunk SIEM
Supported data
  • Alerts (recommended for organizations that have high volumes)
  • Endpoint.Events
  • Watchlist.Hit