Solved: Why is VMware Carbon Black Cloud eventtypes not ap...

poconnell_t · ‎10-13-2022

I'm having issues with eventtypes not correctly being applied from VMware Carbon Black Cloud ingest that I can't figure out, as each search in the chain successfully finds events. These are the three eventtypes that chain together. The first two apply correctly (vmware_cbc_base_index, vmware_cbc_alerts), but not the third (vmware_cbc_malware).

From eventtypes.conf:

[vmware_cbc_base_index]
search = index=carbonblack_audit

[vmware_cbc_alerts]
search = eventtype=vmware_cbc_base_index sourcetype="vmware:cbc:s3:alerts" OR sourcetype="vmware:cbc:alerts"

[vmware_cbc_malware]
search = eventtype=vmware_cbc_alerts threat_cause_threat_category="*MALWARE*" NOT threat_cause_threat_category="*NON_MALWARE*"

When I use the search in the third eventtype (vmware_cbc_malware), I do get events. Search:

eventtype=vmware_cbc_alerts threat_cause_threat_category="*MALWARE*" NOT threat_cause_threat_category="*NON_MALWARE*"
| stats count by eventtype

eventtype count
vmware_cbc_alerts 65
vmware_cbc_base_index 65

Can anyone help me figure out why this third eventtype is not being applied?

poconnell_t · ‎10-14-2022

Sigh, nevermind, this was an issue with exports in default.meta.

View solution in original post

poconnell_t · ‎10-14-2022

Sigh, nevermind, this was an issue with exports in default.meta.

Why is VMware Carbon Black Cloud eventtypes not applying correctly?

configuration

troubleshooting

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases