This topic contains helpful FAQs for using the Carbon Black Cloud App for Splunk SIEM 2.0.0.

Can you bring Carbon Black Cloud Audit Logs into Splunk SIEM 2.0.0+?
Yes. See Configure Audit Logs Input for Splunk SIEM.
Is the Data Forwarder required?
The Data Forwarder is the recommended approach for ingesting Alerts, Endpoint Events and Watchlist Hits into Splunk due to its reliability, scale, and low latency. This approach is required to ingest Endpoint Event and Watchlist Hit data.
The alternative is to use the built-in inputs that are packaged with the Carbon Black Cloud App or Input Add-on that leverages the Carbon Black Cloud REST APIs. This approach supports ingesting the Observations associated with relevant Alert types through an Alert Action.
Can the Carbon Black Cloud Splunk App ingest only the Alerts and not the event data or the audit information?
The app does not require all of the data. However, parts of the dashboards are not available if they rely on data types that are not ingested.
What URL must be used for the API configuration?
When configuring the Carbon Black Cloud Environment URL for API Token Configuration, use the dashboard URL without the https://.
Note: Do not include a trailing slash. The value should be only the hostname; for example,

To view the URLs for each environment, see Hostnames.

Do you know if and when a new Splunk TA will be updated?
A new Carbon Black Cloud app that is available on SplunkBase supports distributed environments and includes new Input and Technology add-ons.

If you are using Splunk 8.0+, you should upgrade to the new app to take advantage of improved data ingest options and a larger range of adaptive response features.

If you are using Splunk 7.0, you should upgrade the version of Splunk SIEM to use the new Carbon Black Cloud app.

Is there a limit to the number of alerts that are pulled from the API on each sync when using the built-in Input?
Yes, the limit is 10,000.

If your organization has more than 10,000 alerts per each polling interval, you can:

  • Tune alerts to reduce overall alert volume:
    • You can remove known-good CB Analytics alerts using the Close all future alerts function.
    • Follow additional recommendations from Carbon Black Threat Research (login required).
  • Modify the configured Alert Input:
    • Increase the minimum severity.
    • Use the Query to filter out alerts for which you find no value.
    • Change the polling interval to 120 or 60 seconds.
  • Switch to ingesting alerts through the Data Forwarder.
Is there a limit to the number of Audit Logs that are pulled on each sync?
Yes, the limit is 2,500.
What version of Splunk SEIM is supported for Carbon Black Cloud?
Splunk version 9.1+.
What documentation is available to help with ingesting Carbon Black Cloud Data Forwarder data into Splunk SEIM?
Data Forwarder Alerts Input Configuration for Splunk SIEM
Configure AWS Add-On for Splunk SIEM
Data Forwarders
Does the Carbon Black Cloud app use Splunk CIM?
Yes, it uses the Event and Alert models from the Splunk CIM.
Is the Carbon Black Cloud app certified by Splunk?
The Carbon Black Cloud app has been verified by AppInspect and is under assessment for Splunk Cloud.
What is the difference between the Message Time and Timestamp fields in Splunk?
Carbon Black Cloud alerts and events contain a variety of timestamps to provide insight into various stages of the data. For example, an alert will contain the timestamp of when the first event was detected as well as the most recent alert update.
The App/TA will extract the most relevant timestamp field into the standard Splunk _time field.
You can find descriptions of each timestamp at Alerts & Events via the Forwarder and Alerts via the built-in Input (Alerts API).