I'm having issues with eventtypes not correctly being applied from VMware Carbon Black Cloud ingest that I can't figure out, as each search in the chain successfully finds events. These are the three eventtypes that chain together. The first two apply correctly (vmware_cbc_base_index, vmware_cbc_alerts), but not the third (vmware_cbc_malware).
From eventtypes.conf:
[vmware_cbc_base_index] search = index=carbonblack_audit [vmware_cbc_alerts] search = eventtype=vmware_cbc_base_index sourcetype="vmware:cbc:s3:alerts" OR sourcetype="vmware:cbc:alerts" [vmware_cbc_malware] search = eventtype=vmware_cbc_alerts threat_cause_threat_category="*MALWARE*" NOT threat_cause_threat_category="*NON_MALWARE*"
When I use the search in the third eventtype (vmware_cbc_malware), I do get events. Search:
eventtype=vmware_cbc_alerts threat_cause_threat_category="*MALWARE*" NOT threat_cause_threat_category="*NON_MALWARE*" | stats count by eventtype
eventtype count vmware_cbc_alerts 65 vmware_cbc_base_index 65
Can anyone help me figure out why this third eventtype is not being applied?
... View more