Enrich Carbon Black Alert Observations using Splunk SIEM

The Enrich Carbon Black Alert Observations Alert Action searches for and ingests the Observations that are associated with the alert.

Note:

This Alert Action writes events to the VMware Base Index (value specified for VMware CBC Base Index in the Application Configuration).
See also Observations API.

The Enrich Carbon Black Alert Observations Alert Action supports single instance and multi-tenancy environments.

Required search result fields:

sourcetype
host
org_key (must be included in the results for the Alert Action to determine which API Token to use)
alert_id (must be a ;:;: separated string, with de-dupped Alert IDs for query to the endpoint by Alert Action)
source