App for IBM QRadar v2.2.1

Overview

The VMware Carbon Black Cloud App for IBM QRadar allows administrators to leverage the industry’s leading cloud-based, next-generation, anti-virus solution to prevent malware and non-malware attacks. This gives administrators access to the alerts, audit logs, and events exposed through the Data Forwarder and the Alerts and Audit Logs APIs for Carbon Black Cloud, as well as device, process, and event information through the optional use of other Carbon Black Cloud APIs.

The Carbon Black Cloud app for IBM QRadar contains two components:

Carbon Black Cloud Log Source Type—normalizes Carbon Black Cloud data into a format QRadar can index.
Carbon Black Cloud App for IBM QRadar—lets you configure a connection to the Carbon Black Cloud and also monitor Carbon Black Cloud devices from the QRadar platform.

Carbon Black Cloud data appearing in the IBM QRadar platform

Note: This app has not been reviewed for FedRAMP Compliance for use in the AWS GovCloud (US) environment. Please reach out to Carbon Black Cloud Support for further information.

Before You Get Started

Think about what data you want to pull into QRadar to determine which log source inputs to use. You can pull in Carbon Black Cloud alerts, audit logs, endpoint events, or device data. Also consider which of the following response actions you want to take on that data to determine which permissions you will need:

Add or remove an IOC from a watchlist
Ban a process hash
Dismiss an alert
Enable or disable bypass
Get process details
Pivot into the Carbon Black Cloud to investigate Events
Pivot into the Carbon Black Cloud to search for Devices
Quarantine or unquarantine a device
Search events by IP on Carbon Black Cloud
View Alert
View device details

Use Cases

Alert Single Pane of Glass

Bring all your CB Analytics, Watchlist, and Device Control alerts into QRadar
Investigate alerts, rule out false positives, create QRadar Offenses, and pivot back to Carbon Black Cloud when more details are needed
Respond from QRadar with right-click actions such as ban hash, quarantine device, and dismiss alert

Required data: alerts

Alert Triage

Perform the majority of your NGAV and EDR alert investigation directly from QRadar by pivoting from an alert to the related event data
Summarize key information related to an alert such as the process cmdline and process behavior

Required data: alerts, endpoint events

Alert Trends

Visualize trends such as alert volume over time, top alerted endpoints, and commonly alerted processes

Required data: alerts

Endpoint Visibility

Identify what’s running across your environment
Summarize the most and least common processes
Audit activity that’s been blocked or terminated by Carbon Black Cloud Endpoint Standard’s NGAV capabilities
Discover endpoints which have stopped sending data to Carbon Black Cloud

Required data: endpoint events

Endpoint Inventory

Track which endpoints are protected by Carbon Black Cloud
Get detailed metadata about an endpoint, such as sensor version, OS version, last check-in time, bypass state, and quarantine state

Required data: devices, endpoint events

CBC Auditing & Change Control

Audit which users are logging in to Carbon Black Cloud, where from, and whether the login was flagged
Track changes to Carbon Black Cloud infrastructure such as policy changes and sensor updates
Monitor high-privilege operations such as Live Response and endpoint bypass

Required data: audit logs

XDR & Custom Detections

Pivot from alerts from network tools, such as firewalls, proxies, and IPS/IDS, to the process on the endpoint
If an email security tool detects a possibly malicious file, identify if any user has opened it and whether that was blocked by Carbon Black Cloud
Baseline normal behavior; what processes normally run on an endpoint? What processes normally make network connections?