Sentinel Carbon Black Connector Events log not coming through URGENT

Question

Hi cool guys in the community

I am having issue with the Sentinel VMware Carbon Black connector, AuditLogs, Notification, are ingested fine. But events are not coming through.

also on the function app page, we could not see any error message reported by the VMware.

on the data connector page we can find the statement.

"A Carbon Black API access level API ID and Key is required for Audit and Event logs."

which means sentinel fetch the Audit and event logs from a same source, it does not make sense that one work and one do not.

or is there a way to simulate Events on VMware side? any insights on this will be much appreciated.

any things we can test?????

Answer 1

@Minghui Zou The Carbon Black connector for VMWare is still in preview and it seems the EVENT API on Carbon black side is deprecated : https://developer.carbonblack.com/reference/carbon-black-cloud/cb-defense/deprecated/rest-api/

The changes required might take some time till it reaches is public launch in Sentinel connector.

You might want to explore this Custom API key option and see if that will work for you : https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/#creating-an-api-key
This URL also might come in handy while you try above : https://community.carbonblack.com/t5/Knowledge-Base/Carbon-Black-Cloud-What-URLs-are-used-to-access-the-APIs/ta-p/67346

If you need exact investigation details, you might have to open a support case for this.

-----------------------------------------------------------------------------------------------------------------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.