The Carbon Black Cloud app for Splunk SIEM includes the following saved searches (default/savedsearches.conf).
vmware_example_for_alerting
This search is designed to show users how to create alerts by using the app.
The saved search is disabled by default in the app; you can enable it from the Saved Searches Settings tab. This saved search creates a report when there is a new alert. You can then use any of the Alert Actions listed in Alert Actions Reference for Splunk SIEM, or use custom Alert Actions in your environment.
CB Analytics - Ingest Enriched Events
This saved search provides Enriched Event Details based on CB_ANALYTICS alerts. The default time range is earliest=-30m AND latest=-20m and runs every 10 minutes after you enable it. The delay is built-in to allow Carbon Black Cloud time to aggregate and deliver additonal events that are associated with the alert. The following search is required to output these fields:
alert_idorg_keysourcetypesourcehost
The Alert IDs should be de-duplicated via stats.
The alert_id field should be a ;:;: delimited string for efficiency and accuracy in the alert action.
'stats values(aid) as alert_id by org_key sourcetype source host | eval alert_id = mvjoin(alert_id, ";:;:" )'
