All Splunk SIEM built-in inputs and actions require an API Key with an Access Level of type CUSTOM. The following tables indicate the permissions that are required.

Note: Previous Splunk SIEM app versions used Access Levels LIVE_RESPONSE and API.

API Data Inputs

Inputs Description Permissions Data Schema
Alerts Alerts indicate suspicious behavior and known threats in your environment. Use the Data Forwarder option instead when you have a high volume or significant bursts of activity; the Data Forwarder provides higher scalability. See Data Forwarder Alerts Input Configuration for Splunk SIEM. orgs.alerts (Read) Alert Schema
Asset Inventory Assets monitored by Carbon Black Cloud, including Endpoints and USB Devices to provide more context about the device within Splunk SIEM. device (Read), group-management (Read), external-device.manage (Read) Device Scroll Response Schema
Auth Events Auth Events API provides visibility into authentication events that occur on Windows endpoints. org.search.events (Read, Create) Auth Event Schema
Live Query Results Live Query Run and Result data. Requires Carbon Black Cloud Audit and Remediation. livequery.manage (Read) Live Query Result Schema
Vulnerabilities Vulnerability assessment data includes identified CVEs, metadata, and impacted assets. Requires Carbon Black Cloud Workload. vulnerabilityAssessment.data (Read) Vulnerability Schema
Audit Logs Carbon Black Cloud Audit Logs; for example, when a user signs-in or updates a policy.
Note: Previous Audit Logs used Access Levels LIVE_RESPONSE or API.
org.audits (Read) Audit Log Schema

Alert Actions and Adaptive Responses

Alert Action Description Permission
Add IOCs to a Watchlist Adds specified IOC(s) to a specified report in a watchlist. Requires Carbon Black Cloud Enterprise EDR. orgs.watchlist (Create, Read, Update)
Ban Hash Prevents a SHA-256 hash from being executed in Carbon Black Cloud. org.reputations (Create)
* Close Alert Closes the specified alert in Carbon Black Cloud. org.alerts (Read)org.alerts.close (Execute)
Enrich Alert Observations Searches and ingests the Observations that are associated with the alert. Intended for use with the “Enrich CB Alert Observations” Splunk Alert. org.search.events (Create, Read)
Enrich CB Analytic Events earches and ingests the Enriched Events that are associated with the CB Analytics alert. Intended for use with the “CB Analytics - Ingest Enriched Events” Splunk Alert. Requires Carbon Black Cloud Endpoint Standard.
Note: Deprecated with deactivation date of 31 July 2024.
Get File Metadata Retrieves file metadata, such as the number of devices the hash was observed on, from the specified SHA-256 file hash. Requires Carbon Black Cloud Enterprise EDR. ubs.org.sha256 (Read)
* Kill Process Remotely kills a process on the devices specified in the search. device (Read)org.liveresponse.session (Create, Read, Delete)org.liveresponse.process (Read, Delete)
* List Processes Remotely lists processes on the specified device. Example: If an Analytics alert did not terminate the process, identify whether the suspicious process is still running on the device. device (Read)org.liveresponse.session (Create, Read, Delete)org.liveresponse.process (Read)
Process GUID Details Fetches the most up-to-date, detailed metadata associated with the specified process GUID. Example: Learn more about the process that triggered a Watchlist alert, such as parent and process cmdline. org.search.events (Read, Execute)
Quarantine Device Quarantines the specified device and prevents suspicious activity and malware from affecting the rest of your network. The device can only communicate with Carbon Black Cloud until the quarantine is lifted. device (Read)device.quarantine (Execute)
Remove IOCs from a Watchlist Removes IOCs from a report in a watchlist. Requires Carbon Black Cloud Enterprise EDR. orgs.watchlist (Read, Update, Delete)
Run Livequery Creates a new Live Query Run. Example: Automatically get the logged-in users on an endpoint after a credential scraping alert. Requires Carbon Black Cloud Audit and Remediation. device (Read)livequery.manage (Create, Read)
Unquarantine Device(s) Removes the specified device(s) from the quarantined state, allowing them to communicate normally on the network. device (Read)device.quarantine (Execute)
Update Device Policy Updates the policy associated with the specified device. Example: Move a device to a more restrictive policy during incident investigation. device (Read)device.policy (Update)
Note:
  • Dismiss Alert was changed to Close Alerts in Splunk SIEM App v2.0.0.
  • Kill Process and List Processes changed from an Access Level type of LIVE_RESPONSE to CUSTOM in Splunk SIEM App v2.0.0.

Commands

All commands require an API Key with an Access Level of type CUSTOM. This changed in Splunk SIEM App v2.0.0; earlier versions used Access Levels of type LIVE_RESPONSE and API.

The following tables indicate the permissions that are required.

Command Description Permission
Carbon Black Cloud Device Info (cbcdvcinfo) Gets real-time information about a Carbon Black Cloud device. See Carbon Black Cloud Custom Commands for Splunk SIEM for usage and best practices device (Read)
Carbon Black Cloud Hash Info (cbchashinfo) Gets real-time information about a SHA-256 hash, such as the number of devices that observed the file. Requires Carbon Black Cloud Enterprise EDR. ubs.org.sha256 (Read)
Carbon Black Cloud Query (Alert Details dashboard: Alert History tab) Loads a timeline view of the alert, including when it was created, determination changes, workflow updates, notes, and Carbon Black Managed Detection and Response comments. org.alerts (Read)
Carbon Black Cloud Query (Alert Details dashboard: Observations tab) Loads Carbon Black Cloud Observations related to an alert. Only certain alert types, such as CB Analytics, Host Based Firewall, and Intrusion Detection System, have Observations. org.search.events (Create, Read)