Use the Audit Log Inputs tab to configure inputs that will pull audit logs using the Carbon Black Cloud APIs.
The Audit Log input uses the CBC Audit Log Events.
| Setting | Description |
|---|---|
| Name | Used to distinguish between inputs. |
| Active | A checkbox enables or disables the input. |
| API Token | The API Key from the API Token Configuration tab to use for the API authorization. For required permissions, see API Data Inputs.
Note: Using Splunk SIEM 2.0.0+, use a
Custom key with the permission
orgs.audit.
|
| Proxy | The proxy configuration, if needed. |
| Index | The Splunk Index in which to store the data.
Note: This value must match value of the
VMware Base Index on the
VMware Base Configuration tab.
|
| Interval | The frequency (in seconds) that the API should poll for data. Range: 60-86400. Default: 300. |
