To configure a Live Query Results input for Splunk SIEM, perform the following procedure.

Prerequisites

Configure Built-in Inputs for Splunk SIEM

Procedure

  1. In the Splunk SIEM console, in the Application Configuration menu, click the Live Query Inputs tab.
  2. To create a new configuration, click the + in the top right corner of the page.
  3. Enter a name for the configuration.
  4. Select the API token that you configured in Set up Authentication and Authorization for Splunk SIEM.
    Note: Make sure that the Splunk Access Level has the required permissions specified for Live Query Results in API Data Inputs.
  5. Select the proxy that you configured in Step 4 of Configure Built-in Inputs for Splunk SIEM. If you are not using a proxy, select None.
  6. Set Lookback to 0 unless you need to retrieve data from previous days. The default value is 7 days.
  7. Set the Index to the Base Index name from Carbon Black Cloud Base Configuration; for example, carbonblackcloud.
    Note: Do not include index=.
  8. Set the Interval to the desired poll cycle. The default value is 300 seconds.
  9. Add a Result query to refine the results that will be ingested.
    Note: The query will use the same syntax as the Live Query > Query Results page in the Carbon Black Cloud console.