App for IBM QRadar - Troubleshooting v2.2.0 - Carbon Black Developer Network

App for IBM QRadar - Troubleshooting v2.2.0

Frequently Asked Questions

1. How do I know if the app is connected to the Carbon Black Cloud?

• The "Last Contact" field under Settings > Data should contain a current timestamp within the span of the configured "Polling Interval". In this example, the timestamp should be updated every 60 seconds.

• If you go to Settings > Configuration requests are triggered to check the validity. If there is something wrong with the credentials, or the Device API or Alerts API at the current moment, validation errors will be shown.

2. Carbon Black Cloud data does not appear in the Log Activity tab when using the built-in type of importing records, even though contact has been made.

• Check that the API keys are of the correct Access Level type.
• Check that the "Custom" Access Level Type has the necessary permissions.
• Make sure the "Custom" and "API" Access Level Type Credentials are not switched up.
• Check if Polling under Settings > Data sub-tab is enabled.
• Make sure the respective Alerts type(s) (CB Analytics Alerts, Device Control Alerts, Watchlist Alerts) under Settings > Data sub-tab are enabled.

• If you use the Built-in input, make sure "Minimum Successful Events for Autodetection" in the Log Source Type configuration is set low enough. Details on how to set it up are available in step 4. of the Installation & User Guide > Log Source Type Configuration.

• Once the app makes contact with the Carbon Black Cloud, it will start polling data. It might take a few minutes until QRadar starts recognising the incoming records as Carbon Black Cloud data. All data polled in the interim will be displayed in the Log Activity page as "Unknown log event" collected by "SIM Generic Log DSM-7".

3. Carbon Black Cloud is not making contact.

• Check if Polling is Enabled under Settings > Data sub-tab.

• If the above did not resolve the problem, check the network on the QRadar host to confirm connectivity to Carbon Black Cloud.

4. Is there a way to grant 'View Only' access to users?

• To turn on Read Only access, configure your access level with only the "Read" permissions. This will result in certain functions becoming unavailable in the app.

5. Carbon Black Cloud shortcut is missing from the QRadar console menu after it was successfully installed.

1. Click on the menu icon with three horizontal lines.
2. Click on the star icon to add Carbon Black Cloud to the menu bar.

6. If the QRadar instance or the app is down, will there be loss of data?

• No, all of the Alerts, Audit Logs, and Events will be pulled in once the application is working again. However, depending on the downtime period, it might take some time for the app to catch-up.

7. Can multiple Carbon Black Cloud instances be forwarded to the same S3 bucket so data can be ingested into QRadar?

• Yes, multiple Data Forwarders can push to the same S3 bucket. The Data Forwarder is creating a directory structure for each Org Key.

8. Can you run multiple instances of the app?

• Yes, 2.1.0. onwards supports multi-tenancy. More information is available here.

9. Are there logs in the app?

• Yes, the app lives in a docker container, and has its own logs separate from the QRadar logs. You can find more details about logging and troubleshooting them in the IBM's page for App Troubleshooting.

10. What is the Product URL that should be used for Configuration?

• Use the full dashboard URL of your Carbon Black Cloud Console. Full detail on the URLs for each environment are available here.

11. Is it a requirement to use the Data Forwarder input?

• The Data Forwarder is the recommended approach for ingesting Alerts and Endpoint Events into QRadar due to its reliability, scale, and low latency. This approach is only required to ingest Endpoint Event data.

12. What version of QRadar is supported for the app?

• QRadar 7.3.3 Patch 6+
• QRadar 7.4.1 Patch 2+
• QRadar 7.5

13. Is there a limit to the number of Audit Logs that are pulled on each sync?

• Yes, 2500.

14. Where can I find more Support and Resources for problems I’m having with the app?

• Use the Developer Community Forum to discuss issues and get answers from other API developers in the Carbon Black Community.
• Report bugs and change requests to Carbon Black Support.
• View all API and integration offerings on the Developer Network along with reference documentation, video tutorials, and how-to guides.

15. What features are included with the new app version?

• To view the full set of new features, visit the Release Notes section.

16. Is there a document outlining how to install & configure the new version 2.x of the app?

• Detailed information on app upgrades, requirements, and configuration changes is available here.

17. Is there a limit to the number of alerts that are pulled from the API on each sync when using the built-in Input?

Yes, 10,000. If your organization has more than 10,000 alerts each polling interval, you can:
• Tune CB Analytics alerts that are known-good in your environment using the Dismiss all future alerts functionality.
• Follow recommendations from our Threat Research team here.
• Modify the configured Alert Input and increase the Minimum Alert Severity.
• Change the polling interval from the default of 180 seconds to 120 or 60 seconds.
• Switch to ingesting Alerts via the Data Forwarder input.

18. The fields under Settings > Configuration are not required, do I need to fill them in?

• No, but to be able to use the full set of features of the app, like assigning Policies, performing Right-click Actions, viewing Device information and more, we recommend adding them. This includes Product URL, Org Key, "API" Type Credentials, "Custom" Type credentials.

19. How do I find all quarantined devices?

• Go to Devices Tab and filter by status:QUARANTINE.

20. Why is Last Contact different than System Time?

• System Time is the current time of the QRadar console in the local time zone and Last Contact is in UTC time zone.

21. I am receiving Alerts in the QRadar console with delay.

• When using the "Built-in" data input method, delays between the incoming data intervals can signify memory overload on the container. A combination of high bursts of Alerts for extended periods and low physical memory on the app container can cause a memory overload. As discussed in this thread, the app's memory is limited to 10% of the system's physical memory, and this can cause delays in Alert and general data processing. If you experience such symptoms, consider using the "Data Forwarder" input.

22. Some Alerts are missing from the Log Activity tab.

• Check whether Coalescing Events option for your syslog log source is enabled and the Event Count for Alerts is larger than 1.

• You may be hitting the default 4096kb TCP Syslog max payload size. To remediate this, increase the payload as some alerts exceed 4k, which prevents them from being logged correctly in QRadar. A step-by-step guide is available here.
• Check if you are hitting your QRadar Event Processor System (EPS) licensed limit. Detailed information can be found on the IBM support page.
• Update your app. A known issue in previous versions was causing a small percentage of Alerts not to be logged. This issue was resolved in v.2.2.0 of the app.

23. After upgrading to v2.2 I can no longer see device policies.

Two new permissions are required for v2.2:
• Policies (org.policies) - READ
• Events (org.search.events) - READ.

24. I upgraded QRadar to 7.5. Do I need to do anything?

It is highly recommended to use version v2.2 or later of the app on QRadar 7.5 installations.

25. I am using REST API polling to handle a high volume of alerts and QRadar suddenly stopped receiving any alerts and/or audit logs

Under high load (high ammount of alerts and audit logs per minute), the Carbon Black Cloud QRadar App may stop forwarding messages to QRadar due to hitting a memory limitation which leads to app restarts.
The default memory limit for the QRadar app is set to 200MB. We highly recommend using the Data Forwarder as opposed to REST API polling for data ingestion mechanism as it is scalable and capable of handling high loads. If you are using data polling instead, it is possible that on some occasions under high load you might notice that no new CBC alerts are being fed to QRadar. The application logs may indicate application restarts. Have a look at poll.log and check if it indicates continous service restarts such as in this example:


        2023-06-12 13:12:16 INFO     Recreating SyslogOutput to use custom ip: 1.2.3.4


    



  



        2023-06-12 13:12:18 INFO     Starting poller in production mode - syslog output to QRadar console at IP address 1.2.3.4


    



  



        2023-06-12 13:12:18 INFO     Log Source Identifier to be used localhost


    



  



        2023-06-12 13:12:20 INFO     Sending 2500 Audit Log Events.


    



  



        2023-06-12 13:12:31 INFO     Recreating SyslogOutput to use custom ip: 1.2.3.4


    



  



        2023-06-12 13:12:31 INFO     Starting poller in production mode - syslog output to QRadar console at IP address 1.2.3.4


    



  



        2023-06-12 13:12:31 INFO     Log Source Identifier to be used localhost


    



  



        2023-06-12 13:12:32 INFO     Sending 2500 Audit Log Events.


    



  



        2023-06-12 13:12:43 INFO     Recreating SyslogOutput to use custom ip: 1.2.3.4

If you have root access to the QRadar Console (or the Apphost in case the app runs on a dedicated Apphost), run the ``dmesg`` command (as root) to inspect the kernel log for OOM kills such as the following:


        slab_out_of_memory: 72 callbacks suppressed


    



  



        SLUB: Unable to allocate memory on node -1, gfp=0xdc0(GFP_KERNEL|__GFP_ZERO)


    



  



           cache: signal_cache(632851:3a166877f91031145f6dc491df3c915c57f1439f4b3bcea4c6a37d1885ea27ea), object size: 1056, buffer size: 1088, default order: 3, min order: 0


    



  



           node 0: slabs: 31, objs: 930, free: 0


    



  



        oom_kill_process: 70 callbacks suppressed


    



  



        python invoked oom-killer: gfp_mask=0x0(), order=0, oom_score_adj=0


    



  



        CPU: 25 PID: 3143648 Comm: python Not tainted 5.4.0-29-generic

If this is the case, you might need to increase the memory limit for the Carbon Black Cloud app to a higher value (above 300MB, 500MB recommended).

Increasing the memory limit:

In order to increase the memory limit, you need to find the application ID of the CBC App. In order to do that you need to login (via ssh) to the QRadar Console and run /opt/qradar/support/recon ps. The output may look like the following:


        App-ID  Name                            Managed Host ID Workload ID                             Service Name            Container Name          Port


    



  



        1055    QRadar Assistant                53              apps                                    qapp-1055       -                               0   


    



  


    
        1051    QRadar Log Source Management    53              apps                                    qapp-1051       -                               0


    



  



        1056    QRadar Use Case Manager         53              apps                                    qapp-1056       -                               0


    



  



        1057    VMware Carbon Black Cloud       53              apps                                    qapp-1057       -                               0

In the first column, there are the App IDs and in the second column there are the App names. Find the "Vmware Carbon Black Cloud" row and copy the corresponding App ID.
Next, open the following URL in your web browser:

https://QRADAR_CONSOLE_IP/api_doc#version=19.0&api=%2Fgui_app_framework%2Fapplications%2F%7Bapplication_id%7D&method=POST

Replace QRADAR_CONSOLE_IP with the IP address of your QRadar console. You need to login with an account with administrative privileges. The resulting api_doc page should look like the following:

Input the App ID in the "application_id" input textbox (in the Value column) and 500 in the memory input textbox, they click the Try it Out! button.

The Carbon Black Cloud QRadar app will get stopped and then restarted (this should take about a minute or two).

To confirm the memory limit has been successfully changed, open the following URL in your browser: https://QRADAR_CONSOLE_IP/api_doc#version=19.0&api=%2Fgui_app_framework%2Fapplications%2F%7Bapplication_id%7D&method=GET

Type in the App ID in the application_id input box and click the Try it Out! button. Have a look at the Response Body section of the page. If everything was correct, it should contain the following string:


        "memory": 500,

Once the memory limit is increased and the app is restarted, it should be seamlessly forwarding all the CBC alerts and audit logs.

App Errors

No watchlist defined in configuration

• Go to Carbon Black Cloud > Settings > Actions to configure a watchlist.

Invalid query parameters

• Enter valid query or leave field empty to bulk search.

Error: App is not configured

• Fill out information under Settings > Configuration.

Missing Parameters: Product URL, Org Key, API Type ID, API Type Secret Key

Although not required at the initial configuration of the app, once entered, the values under Settings > Configuration cannot be empty. To remediate this:

• Enter the necessary values.
• Click the "Close" button to revert to the previous configuration when you move away from the Settings page or after refresh.
• If the above options are not applicable in your situation, you can reset the configuration by clicking on Reset Configuration button (only available for admin users).

Invalid server_url -> https is strictly enforced

• "HTTPS" is the secure version of "HTTP", which is the primary protocol used to send data between a web browser and a website. If you need to configure a "Product URL" for your app, it is a requirement to use the full address.

Invalid Polling Interval. Choose a value between 60 and 600 seconds.

• Polling Interval determines how frequently to pull data from the Carbon Black Cloud, in seconds. The minimum value is 60 seconds, and the maximum value is 600. Either choose a value within those boundaries, or click "Close" to revert the changes.

Give Feedback

Use this form to give us feedback about this site or any of the documentation.

Last modified on May 3, 2023

Carbon Black Cloud

Page Contents