The Splunk App for Splunk SOAR pulls event data from Splunk Enterprise. Artifacts pulled in from Splunk Enterprise have all the Carbon Black Cloud alert data packed into a single value without the necessary mappings. You must establish the mappings post-installation .
This method of data ingestion supports alerts and SOAR Actions.
Procedure
- Open the Splunk SOAR console.
- In the left navigation bar, click Apps.
- On the New Apps menu, locate Splunk and click Install.
- Go to Unconfigured Apps and confirm that Splunk is present in the section.
- For configuration instructions, see the README in the project documentation.
Note:
- Configure the Command for query to use with On Poll setting to search.
- Configure the Query to use with On Poll setting needs to
index="*carbonblackcloud". Replace carbonblackcloud if non-default index is configured in Splunk Enterprise to store Carbon Black Cloud events.
- If you are using Splunk Enterprise App version 2.11.0+, use
token authentication rather than password authentication for increased security. Follow the steps in Splunk Documentation to generate an API token.
