To be certain you capture all events, set up Carbon Black App Control as a log source in QRadar Log Manager before integrating with the Carbon Black App Control Server.

When an App Control Server begins to send events to the QRadar Log Manager, approximately the first 10 events will appear as "Unknown events". After that, QRadar Log Manager will auto-discover events as being from Carbon Black App Control, and will add a Log source definition for that App Control Server called "CarbonBlackAppControl @ <CarbonBlackServerComputerName>" with the default QRadar Log Manager parameters.