11/2/2023 0 Comments Splunk installation guide![]() Open your Splunk SOAR console, go to Apps.The following section has steps for the recommended installation method via Apps within Splunk SOAR. The Splunk App for Splunk SOAR is required to ingest data from Splunk into Splunk SOAR. Custom Type API Key for data inputs and SOAR Actions.Splunk Enterprise with Carbon Black Cloud App configured.After the events have been processed by the playbook, all the containers ingested from Splunk Enterprise will be converted to the same format as the events ingested directly from Carbon Black Cloud with support for all the Carbon Black Cloud contextual actions. In order to operate on the Carbon Black Cloud events, the user needs to create a normalize artifact playbook. Artifacts pulled in from Splunk Enterprise have all the Carbon Black Cloud alert data packed into a single value and lack the necessary mappings. The Splunk App for Splunk SOAR is used to pull event data from Splunk Enterprise. Go back to "Asset Settings" tab and click "Test Connectivity" to ensure successful connection.The suggested Polling interval is 3 minutes. Select a polling interval or schedule to configure polling on this asset. Go to "Ingest Settings" Tab and enable polling on the asset.Set Minimum Alert Severity to the lowest severity to be ingested to Splunk SOAR. Click on the corresponding checkbox to enable fetching a specific type of alerts (CB_ANALYTICS alerts, DEVICE_CONTROL alerts, WATCHLIST alerts (requires Enterprise EDR), CONTAINER_RUNTIME alerts (requires Container Security)). Go to "Asset Settings" Tab and add Carbon Black Cloud instance URL, Carbon Black Cloud Org Key, API ID and API Secret Key to their respective fields.Go to "Asset Info" Tab and enter "Asset name".Go to Apps > Unconfigured Apps > Carbon Black Cloud click Configure New Asset. Copy Carbon Black Cloud console URL(including the " and ORG KEY.Copy the API Secret Key and API ID from the pop-up modal.Enter a "Name", click on the "Access Level type" dropdown, select "Custom", click on the "Custom Access Level" dropdown and select the level you created in step 2, then click Save.Go to the "API Keys" tab and click "Add API Key"._Note: Refer to the SOAR actions table to determine permissions for the actions you want to enable._ ![]() Live Response Session () - CREATE, READ, DELETE Live Response Process () - EXECUTE, READ, DELETE
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |