Getting Started with Splunk SIEM

Decide what data you want to pull from Carbon Black Cloud into Splunk SIEM to determine which inputs to use.

Available Inputs

Alerts: available via API (regular polling) or Data Forwarder (streaming from AWS S3+SQS)
Note:
- In 2.0.0 of the app, these inputs were upgraded to the v7 API and Forwarder Schema v2. See these blogs for more information about the benefits of the Alert v7 API and Data Forwarder Alert Schema v2.
- See the Splunk SIEM Release Notes for more about the benefits of using the Splunk SIEM App.
Audit Logs: available by API input
Auth Events: available by API input
Endpoint Events: available by Data Forwarder (streaming from AWS S3)
Live Query Results: available by API input
Vulnerabilities: available by API input
Watchlist Hits: available by Data Forwarder (streaming from AWS S3)

Requirements

Splunk Enterprise 9.2, 9.1, 9.0 or Splunk Cloud
Splunk CIM Add-on
Some inputs require specific Carbon Black Cloud features

Tip:

To see what Carbon Black Cloud modules are currently enabled in your environment, log in to the Carbon Black Cloud console. Click your username in the upper-right corner of the page. An Enabled tag displays next to any product feature that is available in your organization.

Use Cases

The Carbon Black Cloud App for Splunk SIEM realizes many key SOC use cases, from conventional SIEM to XDR:

Use Splunk as a single pane of glass for your Carbon Black Cloud alerts
- Triage and investigate from Splunk SIEM, or pivot back to the Carbon Black Cloud console.
Bring full EDR visibility to Splunk
- Endpoint Events enable your SOC to perform threat hunting, conduct forensic investigations, and build custom analytics.

Support and Resources

Broadcom Carbon Black Support
Splunk SIEM Release Notes
View all API and integration offerings on the Developer Network together with reference documentation, video tutorials, and how-to guides.
Access questions and answers specific to the Carbon Black Cloud app at https://answers.splunk.com. Be sure to tag your question with Carbon Black Cloud Splunk SIEM App.
Use the Developer Community Forum to discuss issues and get answers from other API developers in the Carbon Black Community.

Diagnostics Generation

Please include a support diagnostic file when creating a support ticket. Use the following command to generate the file, based on the Splunk SIEM app or add-on that is installed. Send the resulting file to Broadcom Carbon Black Support.

$SPLUNK_HOME/bin/splunk diag --collect=app:vmware_app_for_splunk
$SPLUNK_HOME/bin/splunk diag --collect=app:IA-vmware_app_for_splunk
$SPLUNK_HOME/bin/splunk diag --collect=app:TA-vmware_app_for_splunk