App Control: After Upgrade to 8.6, SIEM Alert Channels Broken Due to 'Device_Vendor' name change from 'VMWare Carbon Black' to 'Carbon Black'
book
Article ID: 291053
calendar_today
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
SIEM alert channels broken as they had been adjusted to the 'VMware Carbon Black' prefix.
Environment
- App Control (Formerly CB Protection) Console: 8.6
Cause
Within the syslog strings the device vendor field values were changed from 'VMware Carbon Black' back to 'Carbon Black'.
Resolution
- Upgrade to App Control 8.7.x where this has been fixed
- If upgrade is not possible the below two queries can be used to fix this change
- NOTE: It is always recommended to backup the DAS database before making changes in SQL
- For CEF please run the following query to revert the name change back to 'VMWare Carbon Black':
UPDATE dbo.events_syslog_map SET source = N'VMware Carbon Black' WHERE format = N'cef' AND dest = N'@devicevendor' AND source = N'Carbon Black'
- For LEEF please run this query:
UPDATE das.dbo.events_syslog_map SET source = N'VMware Carbon Black' WHERE format = N'leef' AND dest = N'@vendor' AND source = N'Carbon Black';
Feedback
thumb_up
Yes
thumb_down
No