![]() ![]() Artifacts pulled in from Splunk Enterprise have all the Carbon Black Cloud alert data packed into a single value and lack the necessary mappings. The Splunk App for Splunk SOAR is used to pull event data from Splunk Enterprise. Go back to "Asset Settings" tab and click "Test Connectivity" to ensure successful connection.The suggested Polling interval is 3 minutes. Select a polling interval or schedule to configure polling on this asset. Go to "Ingest Settings" Tab and enable polling on the asset.Set Minimum Alert Severity to the lowest severity to be ingested to Splunk SOAR. Click on the corresponding checkbox to enable fetching a specific type of alerts (CB_ANALYTICS alerts, DEVICE_CONTROL alerts, WATCHLIST alerts (requires Enterprise EDR), CONTAINER_RUNTIME alerts (requires Container Security)). ![]() Go to "Asset Settings" Tab and add Carbon Black Cloud instance URL, Carbon Black Cloud Org Key, API ID and API Secret Key to their respective fields.Go to "Asset Info" Tab and enter "Asset name".Go to Apps > Unconfigured Apps > Carbon Black Cloud click Configure New Asset. Copy Carbon Black Cloud console URL(including the " and ORG KEY.Copy the API Secret Key and API ID from the pop-up modal.Enter a "Name", click on the "Access Level type" dropdown, select "Custom", click on the "Custom Access Level" dropdown and select the level you created in step 2, then click Save.Go to the "API Keys" tab and click "Add API Key"._Note: Refer to the SOAR actions table to determine permissions for the actions you want to enable._ Live Response Session () - CREATE, READ, DELETE Live Response Process () - EXECUTE, READ, DELETE Fill in the "Name" and "Description" fields, grant the new Access Level with the following RBAC permissions and click Save.Īpplications (org.reputations) - CREATE, DELETEĬustom Detections (org.watchlists) - CREATE, READ, UPDATE, DELETEĬustom Detections (org.feeds) - CREATE, READ, UPDATE, DELETE.Open your Carbon Black Cloud console, go to Settings > API Access, select "Access Levels" and click "Add Access Level".Note: For VMware Carbon Black Cloud customers who use VMware Cloud Services Platform for Identity and Access Management, OAuth App Id and OAuth App Secret can be used. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |