The Events page provides access to all recorded events related to Carbon Black App Control activities in your environment, including files blocked, unapproved files executed, system management processes and actions by console users.

The Carbon Black App Control Server updates its event data in near-real-time for connected computers, with minor variations due to event volume. See Event Reports for more details.

You can optionally choose to direct the Carbon Black App Control Syslog event output for post-processing on another system. See Event Management Options for more details.

When the Carbon Black App Control Connector for Network Security Devices is enabled, connector-related events appear in the Carbon Black App Control event log. There are several key additions or changes to Carbon Black App Control events due to the integration with network security devices:

  • External Notification – This event subtype (subtype is the most specific identifier for an event) is under the Discovery type. It is generated for external notifications (currently from Palo Alto Networks) received by the Carbon Black App Control Server. However, it is not generated for an external notification that is received as a result of a file submission if a File Analysis Complete is also generated.
  • Connector Actions in Other Events – Other events that can report connector-related activity are shown in the following table. Most of these event subtypes are also used for other purposes – descriptions that could appear for the subtype but are not related to network security device activity are not shown here. See the separate VMware Carbon Black App Control Events Guide for a complete description of all event types and subtypes inCarbon Black App Control and how to enable Syslog event output.
Table 1. Connector-Related Events in the App Control Event Log

Event Type

Event Subtype

External Notification-Related Description and Samples

Discovery

Malicious file detected

Unknown file '$filename$' [$param1$] was identified by $param3$ as malicious.

or

File '$filename$' [$param1$] was identified by $param3$ as malicious.

Discovery

Potential risk file detected

Unknown file '$filename$' [$param1$] from $param3$ was identified by $param3$ as potential risk.

or

File '$filename$' [$param1$] from $param3$ was identified by $param3$ as potential risk.

Discovery

External Notification

$Provider$ reported $malware type$ with name $malware name$ for file '$filename' from $src_ip to $target_ip

Computer Management

File Upload Requested

User '$username$' requested upload of file [$hash$] from computer '$computer$'.

or

User '$username$' requested upload of file '$param1$' from computer '$computer$'.

or

Upload of file [$hash$] from computer '$computer$' was requested by event rule '$ruleName$'.

 

Note: Reported uploads could be unrelated to External Notifications.

Computer Management

File Upload Completed

Upload of file [$hash$] from computer '$computer$' completed.

or

Upload of file '$param1$' from computer '$computer$' completed.

Computer Management

File Upload Canceled

User '$username$' canceled upload of file [$hash$] from computer '$computer$'.

or

User '$username$' canceled upload of file '$param1$' from computer '$computer$'.

Computer Management

File Upload Error

Upload of file [$hash$] from computer '$computer$' failed because of error '$param2$'.

or

Upload of file '$param1$' from computer '$computer$' failed because of error '$param2$'.

Computer Management

File Upload Deleted

User '$username$' deleted uploaded file [$hash$].

or

User '$username$' deleted uploaded file '$param1$'.

General Management

Event rule created

Event rule '$param1$' has been created by '$userName$'.

General Management

Event rule modified

Event rule '$param1$' has been modified by '$userName$'.

General Management

Event rule deleted

Event rule '$param1$' has been deleted by '$userName$'.

Server Management

File analysis requested

User '$username$' requested analysis of file [$hash$] with '$param1$'.

or

Analysis of file [$hash$] with '$param1$' was requested by event rule '$ruleName$'.

Server Management

File analysis completed

File '$filename$' [$hash$] was successfully analyzed with '$param1$'. Nothing suspicious was found.

or

File '$filename$' [$hash$] was successfully analyzed with '$param1$'. It was reported as malicious.

Server Management

File analysis canceled

User '$username$' canceled analysis of file '$filename$' [$hash$] with '$param1$'.

Server Management

File analysis error

Analysis of file '$filename$' [$hash$] with '$param1$' failed because of error '$param2$'.

Server Management

Server error

$param1$

Note: This is not specific to connectors but may report connector-related errors, such as failure to connect to or authenticate with a device.

Server Management

Connector restart

Connector started, build information: $param1$.

Server Management

Connector shutdown

Connector shutdown cleanly.

Additional Log Information

In addition to the Carbon Black App Control event log, additional information is available in the log files for the connector integrations. This information is located in the following locations under the Carbon Black App Controlinstallation folders:

  • Palo Alto Networks – \Bit9\Parity Server\Reporter\ParityReporter.log.

You might see other logs for custom connectors or deprecated connectors from previous Carbon Black App Control releases.