Decide what data you want to pull from Carbon Black Cloud into Splunk SIEM to determine which inputs to use.

Available Inputs

  • Alerts: available via API (regular polling) or Data Forwarder (streaming from AWS S3+SQS)
  • Audit Logs: available by API input
  • Auth Events: available by API input
  • Endpoint Events: available by Data Forwarder (streaming from AWS S3)
  • Live Query Results: available by API input
  • Vulnerabilities: available by API input
  • Watchlist Hits: available by Data Forwarder (streaming from AWS S3)


  • Splunk Enterprise 9.2, 9.1, 9.0 or Splunk Cloud
  • Splunk CIM Add-on
  • Some inputs require specific Carbon Black Cloud features

To see what Carbon Black Cloud modules are currently enabled in your environment, log in to the Carbon Black Cloud console. Click your username in the upper-right corner of the page. An Enabled tag displays next to any product feature that is available in your organization.

Use Cases

The Carbon Black Cloud App for Splunk SIEM realizes many key SOC use cases, from conventional SIEM to XDR:

  • Use Splunk as a single pane of glass for your Carbon Black Cloud alerts
    • Triage and investigate from Splunk SIEM, or pivot back to the Carbon Black Cloud console.
  • Bring full EDR visibility to Splunk
    • Endpoint Events enable your SOC to perform threat hunting, conduct forensic investigations, and build custom analytics.

Support and Resources

  • Broadcom Carbon Black Support
  • Splunk SIEM Release Notes
  • View all API and integration offerings on the Developer Network together with reference documentation, video tutorials, and how-to guides.
  • Access questions and answers specific to the Carbon Black Cloud app at Be sure to tag your question with Carbon Black Cloud Splunk SIEM App.
  • Use the Developer Community Forum to discuss issues and get answers from other API developers in the Carbon Black Community.

Diagnostics Generation

Please include a support diagnostic file when creating a support ticket. Use the following command to generate the file, based on the Splunk SIEM app or add-on that is installed. Send the resulting file to Broadcom Carbon Black Support.

$SPLUNK_HOME/bin/splunk diag --collect=app:vmware_app_for_splunk
$SPLUNK_HOME/bin/splunk diag --collect=app:IA-vmware_app_for_splunk
$SPLUNK_HOME/bin/splunk diag --collect=app:TA-vmware_app_for_splunk