Prerequisites

  • Deploy the Carbon Black Cloud App for Splunk SEIM and any required add-ons, including setting up authentication and authorization.

Procedure

  1. Create two Event Indexes for your data:
    • Carbon Black Cloud data; for example, carbonblackcloud
    • Alert Actions; for example, carbonblackcloud_actions

    For instructions on creating an index, see Managing Indexers and Clusters of Indexers.

  2. In the Splunk SEIM App, in the Carbon Black Cloud App, go to the Administration > Application Configuration menu.
  3. On the VMware CBC Base Configuration tab, set the VMware CBC Base Index and VMware CBC Action Index to the index names you created in Step 1, respectively.
  4. Optional: On the Proxies tab, configure a proxy.

What to do next

Configure your inputs: