CB Defense: SIEM Connector Generating <Response [401]> errors despite using correct API Key Values
search cancel

CB Defense: SIEM Connector Generating <Response [401]> errors despite using correct API Key Values

book

Article ID: 291581

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

  • SIEM not receiving events/notifications
  • SIEM Connector logs showing <Response [401]> errors
  • Correct API ID and API Secret Key set in .conf file
  • Authorized IP in use in API Key settings in CB Defense Web Console

Environment

  • CB Defense PSC Console: All Verisons
  • CB Defense SIEM Connector

Cause

  • Authorized IP Address is set incorrectly in the Console

Resolution

  1. Go to Settings > API Keys
  2. Find the SIEM API Key being used
  3. Clear out Authorized IP and leave blank
  4. Go to Settings > Notifications
  5. Ensure that the SIEM API Key is listed as a subscriber on at least one Notification
  6. Check .log file for connection status (200 should be returned)
  7. Check to see if events begin populating in SIEM

Additional Information

  • If events do not start to populate, please open a case with support.
  • If events do begin to populate, verify the external IP address you had previously set is correct before trying again.
Powered by Wolken Software