To verify that data is being ingested into Splunk SIEM 2.x.x after a new installation or upgrade, perform the following steps.

Prerequisites

Read After you Upgrade to Splunk SIEM 2.x.x.

Procedure

  1. Verify that custom content that uses alert metadata, such as reports, searches, or dashboards, is populating correctly.

    If data is missing, verify that the mappings have been updated:

    • Field changes for the Alerts v7 API are listed in Schema Changes.
    • Field changes for the Data Forwarder Alert Schema v2 are listed in Data Forwarder Alert Schema v1 Migration.
    • If the field is marked as DEPRECATED, choose a different field or remove that field from your custom content.
    • If the field has a replacement field identified, update the mapping to use that field name instead.

  2. If you are using the Live Response alert actions List Process or Kill Process, verify that the actions execute correctly.
    • Check the Administration > Application Health Overview for errors.
    • A 401 or 403 error indicates a problem with the API key configuration.
    • Verify that the Access Level in Carbon Black Cloud has the correct permissions for each action as listed in Alert Actions and Adaptive Responses.
    • Verify that the Splunk Configuration uses the API Key that has been assigned the Access Level.
  3. If you are using an audit log input, verify that Audit Logs are being ingested.
    • Check the Administration > Application Health Overview for errors.
    • A 401 or 403 error indicates a problem with the API key configuration.
    • Verify that the Access Level in Carbon Black Cloud has the correct permissions for each action as listed in Alert Actions and Adaptive Responses.
    • Verify that the Splunk Configuration uses the API Key that has been assigned the Access Level.
  4. Confirm that other inputs are being ingested.