Use the Auth Events Inputs tab to configure inputs to pull Auth Events using the Carbon Black Cloud APIs.
The Auth Event input uses the Carbon Black Cloud Auth Events API.
Note: Auth Events requires
Carbon Black Cloud Enterprise EDR to access this data.
| Setting | Description |
|---|---|
| Name | Used to distinguish between inputs. |
| Active | A checkbox enables or disables the input. |
| API Token | The API Key from the API Token Configuration tab to use for the API authorization. For required permissions, see API Data Inputs. |
| Proxy | The proxy configuration, if needed. |
| Lookback | The number of historical days to pull from the API on initial configuration. |
| Index | The Splunk Index in which to store the data.
Note: This value must match value of the
VMware Base Index on the
VMware Base Configuration tab.
|
| Interval | The frequency (in seconds) that the API should poll for data. Range: 60-86400. Default: 300. |
