The Carbon Black Cloud App offers two methods to ingest data. Each method supports a subset of the Carbon Black Cloud data.

Built-in Input

Use the Carbon Black Cloud App (or Input Add-on via a Heavy Forwarder), which leverages Carbon Black Cloud REST APIs to pull data into Splunk SIEM.

Supported data

• Alerts
• Audit logs
• Auth Events
• Live Query results
• Vulnerabilities
• Asset Inventory Input; includes USB Devices

Data Forwarder

Streams data into an AWS S3 bucket at scale

Uses the AWS add-on for Splunk to pull the data from AWS S3 into Splunk SIEM

Supported data

• Alerts (recommended for organizations that have high volumes)
• Endpoint.Events
• Watchlist.Hit