App Control: After Upgrade to 8.6, SIEM Alert Channels Broken Due to 'Device_Vendor' name change from 'VMWare Carbon Black' to 'Carbon Black'
search cancel

App Control: After Upgrade to 8.6, SIEM Alert Channels Broken Due to 'Device_Vendor' name change from 'VMWare Carbon Black' to 'Carbon Black'

book

Article ID: 291053

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

SIEM alert channels broken as they had been adjusted to the 'VMware Carbon Black' prefix.

Environment

  • App Control (Formerly CB Protection) Console: 8.6

Cause

Within the syslog strings the device vendor field values were changed from 'VMware Carbon Black' back to 'Carbon Black'.

Resolution

  • Upgrade to App Control 8.7.x where this has been fixed
  • If upgrade is not possible the below two queries can be used to fix this change
  • NOTE: It is always recommended to backup the DAS database before making changes in SQL
  • For CEF please run the following query to revert the name change back to 'VMWare Carbon Black':
    UPDATE dbo.events_syslog_map SET source = N'VMware Carbon Black' WHERE format = N'cef' AND dest = N'@devicevendor' AND source = N'Carbon Black'
  • For LEEF please run this query:
    UPDATE das.dbo.events_syslog_map SET source = N'VMware Carbon Black' WHERE format = N'leef' AND dest = N'@vendor' AND source = N'Carbon Black';