This topic contains helpful FAQs for using the Carbon Black Cloud App for Splunk SIEM 2.0.0.
- Can you bring Carbon Black Cloud Audit Logs into Splunk SIEM 2.0.0+?
- Yes. See Configure Audit Logs Input for Splunk SIEM.
- Is the Data Forwarder required?
- The Data Forwarder is the recommended approach for ingesting Alerts, Endpoint Events and Watchlist Hits into Splunk due to its reliability, scale, and low latency. This approach is required to ingest Endpoint Event and Watchlist Hit data.
- Can the Carbon Black Cloud Splunk App ingest only the Alerts and not the event data or the audit information?
- The app does not require all of the data. However, parts of the dashboards are not available if they rely on data types that are not ingested.
- What URL must be used for the API configuration?
-
When configuring the
Carbon Black Cloud Environment URL for API Token Configuration, use the dashboard URL without the
https://.
Note: Do not include a trailing slash. The value should be only the hostname; for example, defense.conferdeploy.net.
To view the URLs for each environment, see Hostnames.
- Do you know if and when a new Splunk TA will be updated?
-
A new
Carbon Black Cloud app that is available on
SplunkBase supports distributed environments and includes new
Input and
Technology add-ons.
If you are using Splunk 8.0+, you should upgrade to the new app to take advantage of improved data ingest options and a larger range of adaptive response features.
If you are using Splunk 7.0, you should upgrade the version of Splunk SIEM to use the new Carbon Black Cloud app.
- Is there a limit to the number of alerts that are pulled from the API on each sync when using the built-in Input?
-
Yes, the limit is 10,000.
If your organization has more than 10,000 alerts per each polling interval, you can:
- Tune alerts to reduce overall alert volume:
- You can remove known-good CB Analytics alerts using the
Close all future alertsfunction. - Follow additional recommendations from Carbon Black Threat Research (login required).
- You can remove known-good CB Analytics alerts using the
- Modify the configured Alert Input:
- Increase the minimum severity.
- Use the Query to filter out alerts for which you find no value.
- Change the polling interval to 120 or 60 seconds.
- Switch to ingesting alerts through the Data Forwarder.
- Tune alerts to reduce overall alert volume:
- Is there a limit to the number of Audit Logs that are pulled on each sync?
- Yes, the limit is 2,500.
- What version of Splunk SEIM is supported for Carbon Black Cloud?
- Splunk version 9.1+.
- What documentation is available to help with ingesting Carbon Black Cloud Data Forwarder data into Splunk SEIM?
- Data Forwarder Alerts Input Configuration for Splunk SIEM
- Does the Carbon Black Cloud app use Splunk CIM?
- Yes, it uses the Event and Alert models from the Splunk CIM.
- Is the Carbon Black Cloud app certified by Splunk?
- The Carbon Black Cloud app has been verified by AppInspect and is under assessment for Splunk Cloud.
- What is the difference between the Message Time and Timestamp fields in Splunk?
- Carbon Black Cloud alerts and events contain a variety of timestamps to provide insight into various stages of the data. For example, an alert will contain the timestamp of when the first event was detected as well as the most recent alert update.
