Environment
- Carbon Black Cloud Console: All Supported Versions
- VMware Carbon Black Cloud App for Splunk: 1.x
- Splunk: 8.x
Symptoms
Alert URL is not included in the data sent to SIEM/API
Cause
The Data forwarder which is required to populate the Alert URL was not configured
Resolution
The below workaround can be followed:
- Copy the DEVICE_ID and ALERT_ID from the notification
- Navigate to the Investigate page
- Format a search query including the following search fields
- device_id:{DEVICE_ID} AND alert_id:{ALERT_ID}
Related Content