The Enrich Carbon Black Alert Observations Alert Action searches for and ingests the Observations that are associated with the alert.
Note:
- This Alert Action writes events to the VMware Base Index (value specified for
VMware CBC Base Indexin the Application Configuration). - See also Observations API.
The Enrich Carbon Black Alert Observations Alert Action supports single instance and multi-tenancy environments.
Required search result fields:
sourcetypehostorg_key(must be included in the results for the Alert Action to determine which API Token to use)alert_id(must be a;:;:separated string, with de-dupped Alert IDs for query to the endpoint by Alert Action)source
