The VMware Carbon Black App Control Events Guide describes the events generated, tracked, and stored by VMware Carbon Black App Control, and the ways you can access these events.
The descriptions in this document will help you locate the specific events you need and filter out those not of interest. If you need more information about App Control features associated with these events, see the VMware Carbon Black App Control User Guide for this release.
Section 1, Event Specification, describes the content, structure and purpose of these events for the benefit of integrators interested in using them outside of the Carbon Black App Control environment. This section includes a comprehensive set of event type tables with respective subtypes and their descriptions.
Section 2, Access to App Control Event Data, describes the ways you can access App Control event data outside of the App Control Console user interface. For supported syslog formats, this section shows how event data is mapped.
Section 3, Health Check Events, provides an overview of the various health check events, their severity, guidance on where to begin the investigation, and tools to use for troubleshooting.
App Control events provide a critical set of audit data required by many organizations for compliance, legal, and reporting purposes. Among other things, they can show you:
- who is using App Control
- what App Control Server configuration changes have been made
- conditions requiring action (e.g., low disk space or database issues)
For computers running the App Control Agent, events provide information such as:
- file executions that have been blocked due to security rules
- malicious files found by App Control or connected third-party security devices
- new devices found
The App Control API allows programmers who want to write code to interact with App Control using custom scripts or from other applications. As with actions performed through the App Control Console, App Control API activity creates an audit trail. The API user taking the action is identified in the event.
This guide useful for many audiences. Depending on your role and use case, how you use these events will vary. For example:
- A Help Desk responding to an end user request might be interested in all block events for a given computer.
- An IT security specialist responding to an incident might be interested in new file executions and events related to file installation groups.
- An App Control administrator establishing corporate policies might be interested in classes of events specific to a particular policy interest, such as discovery of new devices or execution of unapproved files (i.e., files neither approved nor banned).
You can find the event types and subtypes nested under Event Tables. Each event type has a specific table that describes the sub-types and events as they appear in this version of App Control.