Back to Blogs

Announcing VMware Carbon Black Cloud App for QRadar v2.3.0

Posted on June 5, 2024

---

We’re pleased to announce version 2.3.0 of the VMware Carbon Black Cloud App for QRadar. One of the headline features of this release is the transition from Alerts v6 to the more advanced Alerts v7.

There are some breaking changes, so check out the Release Notes and the User Guide before you install the new version of the app.

New Features:

• Transitioned exclusively to API Keys with an Access Level Type “Custom” for authentication, simplifying API Key configuration.
• App updated to support Alerts v7 API and Data Forwarder Alert Schema v2.
• Improved alert polling algorithm now processes alerts in batches of 10,000, reducing memory usage and enhancing performance.
• Right-click actions for searching observations by IP address and viewing alerts now redirect users to the “Investigate” tab that is using the Observations API, facilitating the migration process from the Enriched Events Search API.

Bug Fixes:

• Resolved issue causing unintended retransmission of old messages, enhancing system logging reliability by preventing message duplication.
• Enhanced logging functionality to provide clearer error messages for failed syslog message transmissions.
• Improved file reading mechanism to ensure accurate processing of syslog messages.
• Added pagination support for improved device retrieval efficiency.
• Fixed issue: Devices Tab now shows all devices when search field is empty.
• Upgraded packages to fix vulnerabilities.

Breaking Changes

• QRadar versions 7.5.0 UP3+ are supported. The app will not install on older QRadar versions.
  • App was migrated to use Alerts v7 instead of Alerts v6. Some fields in the earlier versions have been renamed or removed from the new versions.
• An additional permission is needed to close alerts (Background Tasks - jobs.status - READ).
• API Key with an Access Level type Custom is used to poll Audit Logs (Audit Logs (org.audits) - READ).
• If you are using the Data Forwarder to ingest events, you would need to:
  • Create a Data Forwarder Alert v2 Schema with a different AWS S3 Bucket prefix and enable it. Doing this first is necessary to not lose alerts.
  • Create a new Log Source that uses the new Data Forwarder and enable it
  • Disable the Alerts Forwarder using v1 Schema
  • Wait for the ingest of Alerts with v1 Schema to complete
  • Disable the old Log Source
  • Update the Carbon Black Cloud QRadar App
  • Verify that Alerts are ingested correctly

After you upgrade

• If you are using the Data Forwarder Alerts Input
  • Reconfigure the AWS SQS queue to consume the Alert v2 schema data.(Note: There may be duplicate data for the period both forwarders were running)

Resources:

• VMware Carbon Black Cloud App on IBM App Exchange
• Installation and User Guide for VMware Carbon Black Cloud App
• Previous User Guides for VMware Carbon Black Cloud App
• Release notes for VMware Carbon Black Cloud App

Have questions or feedback?

• Use the Developer Community Forum to discuss issues and get answers from other API developers in the Carbon Black Community
• Report bugs and change requests to Carbon Black Support

• Subscribe to the Developer Network Newsletter