The Events page provides access to all recorded events related to Carbon Black App Control activities in your environment, including files blocked, unapproved files executed, system management processes and actions by console users.
The Carbon Black App Control Server updates its event data in near-real-time for connected computers, with minor variations due to event volume. See Event Reports for more details.
You can optionally choose to direct the Carbon Black App Control Syslog event output for post-processing on another system. See Event Management Options for more details.
When the Carbon Black App Control Connector for Network Security Devices is enabled, connector-related events appear in the Carbon Black App Control event log. There are several key additions or changes to Carbon Black App Control events due to the integration with network security devices:
- External Notification – This event subtype (subtype is the most specific identifier for an event) is under the Discovery type. It is generated for external notifications (currently from Palo Alto Networks) received by the Carbon Black App Control Server. However, it is not generated for an external notification that is received as a result of a file submission if a File Analysis Complete is also generated.
- Connector Actions in Other Events – Other events that can report connector-related activity are shown in the following table. Most of these event subtypes are also used for other purposes – descriptions that could appear for the subtype but are not related to network security device activity are not shown here. See the separate VMware Carbon Black App Control Events Guide for a complete description of all event types and subtypes inCarbon Black App Control and how to enable Syslog event output.
Event Type |
Event Subtype |
External Notification-Related Description and Samples |
---|---|---|
Discovery |
Malicious file detected |
Unknown file '$filename$' [$param1$] was identified by $param3$ as malicious. or File '$filename$' [$param1$] was identified by $param3$ as malicious. |
Discovery |
Potential risk file detected |
Unknown file '$filename$' [$param1$] from $param3$ was identified by $param3$ as potential risk. or File '$filename$' [$param1$] from $param3$ was identified by $param3$ as potential risk. |
Discovery |
External Notification |
$Provider$ reported $malware type$ with name $malware name$ for file '$filename' from $src_ip to $target_ip |
Computer Management |
File Upload Requested |
User '$username$' requested upload of file [$hash$] from computer '$computer$'. or User '$username$' requested upload of file '$param1$' from computer '$computer$'. or Upload of file [$hash$] from computer '$computer$' was requested by event rule '$ruleName$'.
Note: Reported uploads could be unrelated to External Notifications. |
Computer Management |
File Upload Completed |
Upload of file [$hash$] from computer '$computer$' completed. or Upload of file '$param1$' from computer '$computer$' completed. |
Computer Management |
File Upload Canceled |
User '$username$' canceled upload of file [$hash$] from computer '$computer$'. or User '$username$' canceled upload of file '$param1$' from computer '$computer$'. |
Computer Management |
File Upload Error |
Upload of file [$hash$] from computer '$computer$' failed because of error '$param2$'. or Upload of file '$param1$' from computer '$computer$' failed because of error '$param2$'. |
Computer Management |
File Upload Deleted |
User '$username$' deleted uploaded file [$hash$]. or User '$username$' deleted uploaded file '$param1$'. |
General Management |
Event rule created |
Event rule '$param1$' has been created by '$userName$'. |
General Management |
Event rule modified |
Event rule '$param1$' has been modified by '$userName$'. |
General Management |
Event rule deleted |
Event rule '$param1$' has been deleted by '$userName$'. |
Server Management |
File analysis requested |
User '$username$' requested analysis of file [$hash$] with '$param1$'. or Analysis of file [$hash$] with '$param1$' was requested by event rule '$ruleName$'. |
Server Management |
File analysis completed |
File '$filename$' [$hash$] was successfully analyzed with '$param1$'. Nothing suspicious was found. or File '$filename$' [$hash$] was successfully analyzed with '$param1$'. It was reported as malicious. |
Server Management |
File analysis canceled |
User '$username$' canceled analysis of file '$filename$' [$hash$] with '$param1$'. |
Server Management |
File analysis error |
Analysis of file '$filename$' [$hash$] with '$param1$' failed because of error '$param2$'. |
Server Management |
Server error |
$param1$ Note: This is not specific to connectors but may report connector-related errors, such as failure to connect to or authenticate with a device. |
Server Management |
Connector restart |
Connector started, build information: $param1$. |
Server Management |
Connector shutdown |
Connector shutdown cleanly. |
Additional Log Information
In addition to the Carbon Black App Control event log, additional information is available in the log files for the connector integrations. This information is located in the following locations under the Carbon Black App Controlinstallation folders:
- Palo Alto Networks – \Bit9\Parity Server\Reporter\ParityReporter.log.
You might see other logs for custom connectors or deprecated connectors from previous Carbon Black App Control releases.