Alerts Recommended for orgs with high volumesįor built-in data inputs, alert actions, and commands, create API Key(s) with the correct permissions in the Carbon Black Cloud and then configure Splunk to use those keys.Uses the AWS Add-on for Splunk to pull the data from AWS S3 into Splunk.Streams data into an AWS S3 bucket at scale.Use the VMware Carbon Black Cloud App (or Input Add-on via a Heavy Forwarder), which leverages VMware Carbon Black Cloud REST APIs to pull data into Splunk.Each method supports a subset of the Carbon Black Cloud data which is outlined below. The VMware Carbon Black Cloud App offers two methods to ingest data. Watch our Setup Video for an in depth walk through of the following sections No additional configuration needed beyond installation for CIM compliant models.
Note: If you are using the Data Forwarder to ingest Alerts and Events then you will need to install and configure the Splunk AWS Add-on.
Heavy Forwarder - IA-vmware_app_for_splunk The Heavy Forwarder is where Splunk will ingest data from the Carbon Black Cloud, the Indexer will process the incoming data and apply the CIM compliant models, and the Search Head provides the graphical search interface that allows you to interact with the data through dashboards, alert actions and custom commands. In a distributed environment the app and add-ons only support a subset of configuration as each Splunk component provides specific functionality. Otherwise, see the Self Service Install documentation
This application connects with any Carbon Black Cloud offering and replaces the existing product-specific Carbon Black Cloud apps for Splunk. The VMware Carbon Black Cloud App for Splunk is a single application to integrate your endpoint and workload security features and telemetry directly into Splunk dashboards, workflows and alert streams.