You can use REST APIs to ingest data into the Carbon Black Cloud Splunk SOAR app.

To set up data ingestion, you must create API keys that have the appropriate permissions to pull in Carbon Black Cloud data.

This method of data ingestion supports alerts and SOAR Actions.

See also Setting up API Access and Carbon Black Cloud API Access.

Procedure

  1. On the left navigation pane of the Carbon Black Cloud console, click Settings > API Access.
  2. Click the Access Levels tab and click Add Access Level.
  3. Enter a name and description for your access level.
  4. Select the following checkboxes for permission functions to include in your access level:
    Table 1. RBAC Permissions
    Function/Action Permissions
    Alerts (org.alerts) READ
    Alerts (org.alerts.close) EXECUTE
    Applications (org.reputations) CREATE, DELETE
    Background Tasks (jobs.status) READ
    Custom Detections (org.watchlists) CREATE, READ, UPDATE, DELETE
    Custom Detections (org.feeds CREATE, READ, UPDATE, DELETE
    Device (device.quarantine) EXECUTE
    Device (device) READ
    Device (device.policy) UPDATE
    Live Query (livequery.manage) CREATE, READ, UPDATE, DELETE
    Live Response File (org.liveresponse.file) READ, DELETE
    Live Response Process (org.liveresponse.process) EXECUTE, READ, DELETE
    Live Response Session (org.liveresponse.session) CREATE, READ, DELETE
    Policies (org.policies) READ
    Search (org.search.events) CREATE, READ
    Unified Binary Store (ubs.org.sha256) READ
    Unified Binary Store (ubs.org.file) READ
    Note: To determine permissions for the actions you want to enable, see SOAR Actions.
  5. Click Save.
  6. Click the API Keys tab and click Add API Key.
  7. Enter a unique name and description.
  8. Select the Custom Access Level Type.
  9. Set the Custom Access Level to be the access level you created in Step 3.
    Custom key example
  10. Click Save.
  11. Copy the API ID and API Secret Key from the popup window. Paste these values into Notepad or other text editor.
    API Secret Key in popup window
    Important: Because the API Secret Key cannot be retrieved after its initial creation, you must store the API Secret Key in a secure location.
  12. Copy the Carbon Black Cloud console URL (including https://) and paste the URL into Notepad or other text editor.
  13. Copy the Carbon Black Cloud ORG KEY and paste its value into Notepad or other text editor.

What to do next

Install and Configure the Carbon Black Cloud App for Splunk SOAR