To configure an Auth Events input for Splunk SIEM, perform the following procedure.

Auth Events requires Carbon Black Cloud Enterprise EDR, and it must be enabled for each policy. For more information, see Investigate - Auth Events.

Prerequisites

Configure Built-in Inputs for Splunk SIEM

Procedure

  1. In the Splunk SIEM console, in the Application Configuration menu, click the Auth Events Input tab.
  2. To create a new configuration, click the + in the top right corner of the page.
  3. Enter a name for the configuration.
  4. Select the API token that you configured in Set up Authentication and Authorization for Splunk SIEM.
    Note: Make sure that the Splunk Access Level has the required permissions specified in API Data Inputs for Auth Events API.
  5. Select the proxy that you configured in Step 4 of Configure Built-in Inputs for Splunk SIEM. If you are not using a proxy, select None.
  6. Set Lookback to 0 unless you need to retrieve data from previous days. The default value is 7 days.
  7. Set the Index to the Base Index name from Carbon Black Cloud Base Configuration; for example, carbonblackcloud.
    Note: Do not include index=.
  8. Set the Interval to the desired poll cycle. The default value is 300 seconds.
    Note: If your organization generates a significant amount of alerts, consider using the Data Forwarder option (see Data Forwarder Alerts Input Configuration for Splunk SIEM).