Endpoint Standard: What user information flows to SIEM?
Article ID: 288641
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
Which username information does logs writing to SIEM contain ?
Environment
Carbon Black Cloud (formerly CB PSC): All versions
Endpoint Standard (Formerly CB Defense): All versions
Endpoint Standard (Formerly CB Defense): All versions
Resolution
SIEM would only show the information for the "Installed by" user . It does not have a filter for the current/last active users . This is by design .
Additional Information
To know which user has triggered a particular event event/alert, an API can be called to get the “userName”.
https://developer.carbonblack.com/reference/carbon-black-cloud/cb-defense/latest/rest-api/#get-details-for-a-specific-event
https://developer.carbonblack.com/reference/carbon-black-cloud/cb-defense/latest/rest-api/#get-details-for-a-specific-event
Feedback
Yes
No
Powered by
