Products
Applications
Support
Company
How To Buy
Skip to main content (Press Enter).
Sign in
Skip auxiliary navigation (Press Enter).
Register
Skip main navigation (Press Enter).
Toggle navigation
Search Options
Home
My Communities
Communities
All Communities
Application Networking and Security
Enterprise Software
Mainframe Software
Software Defined Edge
Symantec Enterprise
Tanzu
VMware Cloud Foundation
Blogs
All Blogs
Enterprise Software
Mainframe Software
Symantec Enterprise
Events
All Events
Enterprise Software
Mainframe Software
Symantec Enterprise
VMware
Water Cooler
Betas
Flings
Education
Groups
Enterprise Software
Mainframe Software
Symantec Enterprise
Members
Blog Viewer
Carbon Black Cloud: How to Troubleshoot Events Not Found in SIEM
By
CB_Support
posted
Sep 10, 2020 02:14 AM
1
Recommend
Environment
Carbon Black Cloud Console: All supported Versions
Objective
How to troubleshoot events that are not found in SIEM
Resolution
Please open up a case with CB Support. The case will start with collecting information:
In the Alerts tab, check the Notifications history for a specific alert to see if it shows being successfully sent and will show if the alert is acting appropriately or not.
In the Notifications tab, check the Notification history to see if the Notifications are being sent successfully.
In the API Keys tab, check the Notification history for that specific connector. Is it receiving and sending notifications properly? Settings may need to be adjusted
Verify that the API Access Level is set to SIEM if events are forwarded.
If API is chosen, the specific API Name that has been set up will not function correctly. Note: There is no way to change API type after initial configuration. It will need to be reconfigured.
Support will want to verify settings in the Connector.cfg file including the API ID, API Key, Server URL, Ports, types of communication etc. and compare those settings to console.
Check that the server URL is correct
List of URLs
Additional Notes
Detailed description how to
check for logs
The Access Level of SIEM can only be used for notifications.
Using a curl command for anything other than notifications should use the Access Level of API.
Events that appear after an Alert is first pulled may not appear due to
this
behavior
Related Content
Carbon Black Cloud: What URLs are used to access the APIs?
Carbon Black Cloud: How to Troubleshoot Connector or API Issues
Carbon Black Cloud: How to Configure cb-defense-syslog.conf for Syslog Connector
Cb Defense: What do the HTTP Error Codes for the SIEM Connector mean?
Carbon Black Cloud: Is it Possible to Send Audit Logs to a SIEM?
CB Defense: Can the information sent to SIEMs be configured or modified?
Cb Defense: What firewall ports need to be open for the SIEM Connector?
Endpoint Standard: Alert reason differs between UI and SIEM notification
#EndpointStandard
#CarbonBlackCloud
0 comments
0 views
Permalink
Copyright 2019. All rights reserved.
Powered by Higher Logic