Issue
An error is being displayed for the VMware Carbon Black Endpoint Standard (Formerly Cb Defense) Alert Source that states:
We weren't able to retrieve alerts because of a configuration error. Please check
your configuration.
Environment
Red Canary Alert Source Configuration
Resolution
Generate new credentials in the VMware Carbon Black Cloud console and update the alert source in Red Canary.
- Log into your VMware Carbon Black Cloud console (make note of the URL for accessing the console as this will be needed for a later step).
- Click Settings > API Access (make note of the ORG KEY and ORG ID at the top of the page; this information will be needed for a later step).
- Click the Access Levels tab.
- Create a new Access Level named Red Canary Alert Center with description This access level is used by Red Canary to retrieve alerts for validation and investigation.
- Allow permissions for CREATE, READ and DELETE under org.alerts.notes.
- Allow permissions for READ under org.alerts.
- Allow permissions for EXECUTE under org.alerts.dismiss.
- Click Save.
- Click the API Keys tab.
- Click Add API Key and set the following values:
- Name: red_canary_alert_center
- Access Level: Custom
- Custom Access Level: Red Canary Alert Center
- Description: This API key is used by Red Canary to retrieve alerts for validation and investigation.
- Click Save.
- Annotate the API ID and API Secret Key that appear on the screen (note: copy and paste the values into a separate text document to ensure that the correct spacing is captured).
- Log into Red Canary and go to Alert Sources.
- Begin to type in VMware Carbon Black Endpoint Standard and select the product when it appears under the query box.
- Select the newly added alert source.
- Click Configure.
- Choose Vmware Cb Cloud via API Poll as the Ingest Format/Method.
- Enter the following information into the fields:
- API URL: (this will be the first portion of the URL e.g. https://defense-prod05.conferdeploy.net)
- Enter the Org Key and Org Id values that were copied in step 5.
- Enter the API Id and API Secret Key that were copied in step 15.
- Click Save.
- Click Activate it to begin processing alerts (you may see an additional error message appear in regard to retrieving alerts; this should clear up after 5-10 minutes. If it does not go away, please contact Support).
Cause
Creating these API credentials for the sole purpose of managing native alerts in the VMware Carbon Black console is necessary in order to resolve this issue.
Comments
0 comments
Please sign in to leave a comment.