Carbon Black Cloud App for IBM QRadar



Overview

The VMware Carbon Black Cloud App for IBM QRadar allows administrators to leverage the industry’s leading cloud-based, next-generation, anti-virus solution to prevent malware and non-malware attacks. This gives administrators access to the alerts, audit logs, and events exposed through the Data Forwarder and the Alerts and Audit Logs APIs for Carbon Black Cloud, as well as device, process, and event information through the optional use of other Carbon Black Cloud APIs.

The Carbon Black Cloud app for IBM QRadar contains two components:

  • Carbon Black Cloud Log Source Type—normalizes Carbon Black Cloud data into a format QRadar can index.
  • Carbon Black Cloud App for IBM QRadar—lets you configure a connection to the Carbon Black Cloud and also monitor Carbon Black Cloud devices from the QRadar platform.

Requirements

  • Access to Carbon Black Cloud
  • IBM QRadar version 7.3.3 patch level 6 or later

Quick Links


Before You Get Started

Think about what data you want to pull into QRadar to determine which log source inputs to use. You can pull in Carbon Black Cloud alerts, audit logs, endpoint events, or device data. Also consider which of the following response actions you want to take on that data to determine which permissions you will need:

  • Add or remove an IOC from a watchlist
  • Ban a process hash
  • Dismiss an alert
  • Enable or disable bypass
  • Pivot into the Carbon Black Cloud to investigate Events
  • Pivot into the Carbon Black Cloud to search for Devices
  • Quarantine or unquarantine a device
  • Search events by IP on Carbon Black Cloud
  • View device details

Use Cases

Alert Single Pane of Glass

  • Bring all your CB Analytics, Watchlist, and Device Control alerts into QRadar
  • Investigate alerts, rule out false positives, create QRadar Offenses, and pivot back to Carbon Black Cloud when more details are needed
  • Respond from QRadar with right-click actions such as ban hash, quarantine device, and dismiss alert

Required data: alerts

Alert Triage

  • Perform the majority of your NGAV and EDR alert investigation directly from QRadar by pivoting from an alert to the related event data
  • Summarize key information related to an alert such as the process cmdline and process behavior

Required data: alerts, endpoint events

  • Visualize trends such as alert volume over time, top alerted endpoints, and commonly alerted processes

Required data: alerts

Endpoint Visibility

  • Identify what’s running across your environment
  • Summarize the most and least common processes
  • Audit activity that’s been blocked or terminated by Carbon Black Cloud Endpoint Standard’s NGAV capabilities
  • Discover endpoints which have stopped sending data to Carbon Black Cloud

Required data: endpoint events

Endpoint Inventory

  • Track which endpoints are protected by Carbon Black Cloud
  • Get detailed metadata about an endpoint, such as sensor version, OS version, last check-in time, bypass state, and quarantine state

Required data: devices, endpoint events

CBC Auditing & Change Control

  • Audit which users are logging in to Carbon Black Cloud, where from, and whether the login was flagged
  • Track changes to Carbon Black Cloud infrastructure such as policy changes and sensor updates
  • Monitor high-privilege operations such as Live Response and endpoint bypass

Required data: audit logs

XDR & Custom Detections

  • Pivot from alerts from network tools, such as firewalls, proxies, and IPS/IDS, to the process on the endpoint
  • If an email security tool detects a possibly malicious file, identify if any user has opened it and whether that was blocked by Carbon Black Cloud
  • Baseline normal behavior; what processes normally run on an endpoint? What processes normally make network connections?

Required data: endpoint events


Support and Resources

  • Use the Developer Community Forum to discuss issues and get answers from other API developers in the Carbon Black Community.
  • Report bugs and change requests to Carbon Black Support.
  • View all API and integration offerings on the Developer Network along with reference documentation, video tutorials, and how-to guides.
Last modified on December 3, 2021