Azure
VMware Carbon Black Cloud Sentinel Data connector not ingesting alerts- Sentinel
We have updated the VMware carbon black data connector to new version. There are 2 functions in it, The audit event function is working ok. But AlertsAPITimer function is not ingesting data. We have noticed that ORG KEY ID is a new field required as well because notification_cl is deprecated. We have added the ORK KEY ID into Environmental variables. But this didn't fix the issue.
We can see there are no errors as well. But there is no data as well for alerts, We have triggered few test alerts from Carbon black console, but still no data.
This is all the output we see
Hi @sandeep5234, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 27 June 2024. Thanks!
Hey @sandeep5234, While configuring the function app, what value you have added for Log Types? Could you please check with below one :-
@v-sudkharat above error coming up on AuditEventAlertsTimer function but the AlertsAPITimer function is still showing same output after adding new log types
@v-sudkharat I have added above log types and getting below error now.
@sandeep5234, Check with the log's by updating the PowerShell version to 7.4 in configuration tab :
And also check the runtime version as well, it should be 4:
Once, update above changes restart the function app and check for the logs. Thanks!
@v-sudkharat things looking better than last time. I will ask customer to raise test alerts and confirm back.
@sandeep5234, Great. So can we close this issue? if your issue gets resolved. Please let us know if anything for us. Thanks!
Hey @sandeep5234, While configuring the function app, what value you have added for Log Types? Could you please check with below one :-
Hi - Please can you confirm the correct format for this variable is as pictured or the value should be -
["alert","audit","event","alertSIEMAPI"]
Thanks for your help!
Further to this, are there any full configuration documents you would recommend. The most helpful we have found is https://simple-security.ca/2023/05/02/cheat-sheet-for-configuring-carbon-black-cloud-edr-for-sentinel/
@v-sudkharat We have generated few alerts in Carbon black console but still didn't get notifications in Sentinel workspace. What else can we we check?
Hey @sandeep5234, While configuring the function app, what value you have added for Log Types? Could you please check with below one :-
Hi - Please can you confirm the correct format for this variable is as pictured or the value should be -
["alert","audit","event","alertSIEMAPI"]
Thanks for your help!
Yes, you add those values.
Hi @sandeep5234, Could you please check the data is ingesting into the table - CarbonBlackAlerts_CL, and let us know the result.
Currently, our team is planning to make this change into solution as well. Thanks!
@v-sudkharat looks like that table is not created in the workspace
Will we need to create that table manually?
@v-sudkharat looks like that table is not created in the workspace
Will we need to create that table manually?
No the table should self create.
Hey @sandeep5234, While configuring the function app, what value you have added for Log Types? Could you please check with below one :-
Hi - Please can you confirm the correct format for this variable is as pictured or the value should be - ["alert","audit","event","alertSIEMAPI"] Thanks for your help!
Yes, you add those values.
To confirm this only worked using the values seen in the document. NOT the ones I included here.
Powershell Version 7.2 in the app configuration.
The APP type variable - alertSIEMAPI,audit,event
Make these changes then restart the app. Re Run.
Within the Function app - Under LOG Stream, post any further errors!
@MBCloudTeck applied above settings but no change. My function app is not even creating the table in the workspace. But I can see it says 0 alert . We definitely had some alerts over the weekend.
@v-sudkharat I have asked customer to generate test alerts. In total 3 alerts were generated and I can see 3 alerts in the function app logs but no data appears in the sentinel workspace.
Please see below
Do you think it is something to do with dates shown so far behind in the logs?
Based on you getting that far, I would now go back to basics and investigate,
2, Validate the function app access to the Log Analytics Workspace, or better temp "Contributor to the Resource group" the Log analytics sits in, and give it Sentinel Contributor temporally just to be safe.
1, The format of the logs. Ensuring the exact string above is listed. Use postman to validate the call and response.
@v-sudkharat I have checked the Function app from my side but stuck now. Please let me know the next steps.
Based on you getting that far, I would now go back to basics and investigate,
2, Validate the function app access to the Log Analytics Workspace, or better temp "Contributor to the Resource group" the Log analytics sits in, and give it Sentinel Contributor temporally just to be safe.
1, The format of the logs. Ensuring the exact string above is listed. Use postman to validate the call and response.
thanks @MBCloudTeck I think function post request used Workspace ID and Key to post data and I think same ID and key can be used to create authorisation header as well.
Not sure what else to check.
Hi @sandeep5234, Let's connect via a call, to understand and troubleshoot the issue, could you please send mail id with us on - [email protected]
@v-sudkharat I have sent you the email and added my availability as well.
Hey @sandeep5234, As we are in touch with our support team for this issue, and keeping you updated over mail, so can we close this issue from GitHub? Thanks!