Environment
- Integration services/v3/auditlogs API: v3
- Carbon Black Cloud Server: All versions
- Carbon Black Cloud Sensor: All versins
Symptoms
v3/auditlogs errors when using Custom APL access level permission -> Audit log = Read
curl -H ‘X-Auth-Token:AAAAAAAAAAAAAAAAAAAAAAAA/ZZZZZZZZZZ' https://defense-prod05.conferdeploy.net/integrationServices/v3/auditlogs
{"message":"Forbidden","success":false}
Cause
This is limitation CBC-26867.
Resolution
CBC-26867 feature (currently on the road map May, 2023) will allow v3/auditlogs API calls with the custom access level permission Audit log = Read.
Until then the legacy SIEM key is required.