Use the Alert Inputs tab to configure inputs that will pull alerts using the Carbon Black Cloud APIs.
If you configure the alert input on this tab, do not also configure alerts using the Data Forwarder - AWS Add-on. Doing so will result in duplicate alert entries. The alert input uses the Carbon Black Cloud Alerts v7 API.
| Setting | Description |
|---|---|
| Name | Used to distinguish between inputs. |
| Active | A checkbox enables or disables the input. |
| Minimum Severity | The minimum severity level that will be pulled from the API. |
| Type | The types of alerts to pull from the API. |
| API Token | The API Key from the API Token Configuration tab to use for the API authorization. For required permissions, see API Data Inputs. |
| Proxy | The proxy configuration, if needed. |
| Lookback | The number of historical days to pull from the API on initial configuration. |
| Index | The Splunk Index in which to store the data.
Note: This value must match value of the
VMware Base Index on the
VMware Base Configuration tab.
|
| Interval | The frequency (in seconds) that the API should poll for data. Range: 60-86400. Default: 300. |
| Query | The Carbon Black Cloud compatible query to limit the Alert results. The same syntax is used by the Search bar at the top of the Carbon Black Cloud console Alerts tab. Example: ttp:MITRE* |
