To install and configure the Carbon Black Cloud App for Splunk SOAR, perform the following procedure.

Prerequisites

Set up Keys and Permissions in Carbon Black Cloud

Procedure

  1. Open the Splunk SOAR console.
  2. In the left navigation bar, click Apps.
  3. Click the New Apps menu, locate Carbon Black Cloud, and click Install.
  4. Click Unconfigured Apps and confirm that Carbon Black Cloud is present.
  5. For the Carbon Black Cloud app, click Configure New Asset.

    Splunk SOAR console - configure new asset button for Carbon Black Cloud

  6. Click the Asset Info tab and enter the Asset name.
  7. Click the Asset Settings tab.
  8. Using the values that you pasted into a text editor in Set up Keys and Permissions in Carbon Black Cloud, add the following values to the respective fields:
    1. Carbon Black Cloud Instance URL
    2. Carbon Black Cloud Org Key
    3. API ID
    4. API Secret Key
  9. Select the corresponding checkboxes to fetch specific types of alerts:
    • CB_ANALYTICS alerts
    • DEVICE_CONTROL alerts
    • WATCHLIST alerts (requires Carbon Black Cloud Enterprise EDR)
    • CONTAINER_RUNTIME alerts (requires Carbon Black Container Security)
    • HOST_BASED_FIREWALL alerts (requires Carbon Black Cloud Enterprise EDR)
    • INTRUSION_DETECTION_SYSTEM alerts (requires Carbon Black Cloud Enterprise EDR)
  10. Set Minimum Alert Severity to the lowest severity to be ingested to Splunk SOAR.
  11. Click the Ingest Settings tab.
  12. Select a polling interval or schedule to configure polling on this asset. The recommended polling interval is three minutes.
  13. Click Save.