Environment
- Carbon Black Cloud Console: All supported Versions
Objective
How to troubleshoot events that are not found in SIEM
Resolution
Please open up a case with CB Support. The case will start with collecting information:
- In the Alerts tab, check the Notifications history for a specific alert to see if it shows being successfully sent and will show if the alert is acting appropriately or not.
- In the Notifications tab, check the Notification history to see if the Notifications are being sent successfully.
- In the API Keys tab, check the Notification history for that specific connector. Is it receiving and sending notifications properly? Settings may need to be adjusted
- Verify that the API Access Level is set to SIEM if events are forwarded.
- If API is chosen, the specific API Name that has been set up will not function correctly. Note: There is no way to change API type after initial configuration. It will need to be reconfigured.
- Support will want to verify settings in the Connector.cfg file including the API ID, API Key, Server URL, Ports, types of communication etc. and compare those settings to console.
- Check that the server URL is correct
- List of URLs
Additional Notes
- Detailed description how to check for logs
- The Access Level of SIEM can only be used for notifications.
- Using a curl command for anything other than notifications should use the Access Level of API.
- Events that appear after an Alert is first pulled may not appear due to this behavior
Related Content