Sentinel Carbon Black Connector Events log not coming through URGENT

Minghui Zou 186 Reputation points
2021-12-01T10:02:35.253+00:00

Hi cool guys in the community

I am having issue with the Sentinel VMware Carbon Black connector, AuditLogs, Notification, are ingested fine. But events are not coming through.

also on the function app page, we could not see any error message reported by the VMware.

on the data connector page we can find the statement.

"A Carbon Black API access level API ID and Key is required for Audit and Event logs."

which means sentinel fetch the Audit and event logs from a same source, it does not make sense that one work and one do not.

or is there a way to simulate Events on VMware side? any insights on this will be much appreciated.

any things we can test?????

Microsoft Security | Microsoft Sentinel
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. VipulSparsh-MSFT 16,311 Reputation points Microsoft Employee
    2021-12-01T11:30:28.82+00:00

    @Minghui Zou The Carbon Black connector for VMWare is still in preview and it seems the EVENT API on Carbon black side is deprecated : https://developer.carbonblack.com/reference/carbon-black-cloud/cb-defense/deprecated/rest-api/

    The changes required might take some time till it reaches is public launch in Sentinel connector.

    You might want to explore this Custom API key option and see if that will work for you : https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/#creating-an-api-key
    This URL also might come in handy while you try above : https://community.carbonblack.com/t5/Knowledge-Base/Carbon-Black-Cloud-What-URLs-are-used-to-access-the-APIs/ta-p/67346

    If you need exact investigation details, you might have to open a support case for this.

    -----------------------------------------------------------------------------------------------------------------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.