Audit logs are not showing successful communication attempts for API Access key used on IntegrationServices API to connect with a SIEM.

• Carbon Black Cloud: Endpoint Standard
• IntegrationServices API Connector
• API Access Key with "API (Doc)" of "SIEM" Access Level Type
• SIEM 

If an API Access key connect the IntegrationServices API route more frequent than every 30 minutes, it will NOT get an audit log entry since the session is still active and Carbon Black Cloud is reusing it. This logic is only valid for the IntegrationServices API.

This is working as designed and in order to generate an audit event, the API key must not attempt to reconnect until after the 30 minute timeout has expired. That way a new session will be started and new Audit log event will be created like this:

"<TIME><DATE> <API Key> Connector <API Key> logged in successfully"

However, the "LAST REPORTED TIME" for the API key in the API Access page of the Carbon Black Cloud console continues to work as an indication the last time that key successfully connected to the backend.