In a distributed environment, Carbon Black Cloud app and add-ons support a subset of configuration options because each Splunk SIEM component provides specific functionality.
Splunk uses the Heavy Forwarder to ingest data from the Carbon Black Cloud. The Indexer processes the incoming data and applies the CIM compliant models, and the Search Head provides the graphical search interface that allows you to interact with the data through dashboards, alert actions, and custom commands.
- Search Head - vmware_app_for_splunk
- Carbon Black Cloud base configuration
- Proxies
- API token configuration
- Alert actions
- Custom commands
- Heavy Forwarder - IA-vmware_app_for_splunk
- Proxies
- API token configuration
- Built-in inputs (Alert Inputs, Audit Log Inputs, Auth Events, Live Query Inputs, and Vulnerabilities Inputs)
Note: If you are using the Data Forwarder to ingest Alerts and Events then you will need to install and configure the Splunk AWS Add-on. See Data Forwarder Alerts Input Configuration for Splunk SIEM. - Indexer - TA-vmware-app-for-splunk
No additional configuration is required after the installation of CIM-compliant models.
