App for IBM QRadar - Troubleshooting v2.0.0, v2.1.0 and v2.1.1
Frequently Asked Questions
• The "Last Contact" field under Settings > Data should contain a current timestamp within the span of the configured "Polling Interval". In this example, the timestamp should be updated every 180 seconds.
• Check that the API keys are of the correct Access Level type.
• Check that the "Custom" Type API key has the necessary permissions.
• Make sure the "Custom" and "API" Type Credentials are not switched up.
• Check if Polling under Settings > Data sub-tab is enabled.
• Make sure the respective Alerts type(s) (CB Analytics Alerts, Device Control Alerts, Watchlist Alerts) under Settings > Data sub-tab are enabled.
• If you use the Built-in input, make sure "Minimum Successful Events for Autodetection" in the Log Source Type configuration is set low enough. Details on how to set it up are available in step 4. of the Installation & User Guide > Log Source Type Configuration.
• Once the app makes contact with the Carbon Black Cloud, it will start polling data. It might take a few minutes until QRadar starts recognising the incoming records as Carbon Black Cloud data. All data polled in the interim will be displayed in the Log Activity page as "Unknown log event" collected by "SIM Generic Log DSM-7".
• Check that the "Custom" Type API key has the necessary permissions.
• Make sure the "Custom" and "API" Type Credentials are not switched up.
• Check if Polling under Settings > Data sub-tab is enabled.
• Make sure the respective Alerts type(s) (CB Analytics Alerts, Device Control Alerts, Watchlist Alerts) under Settings > Data sub-tab are enabled.
• If you use the Built-in input, make sure "Minimum Successful Events for Autodetection" in the Log Source Type configuration is set low enough. Details on how to set it up are available in step 4. of the Installation & User Guide > Log Source Type Configuration.
• Once the app makes contact with the Carbon Black Cloud, it will start polling data. It might take a few minutes until QRadar starts recognising the incoming records as Carbon Black Cloud data. All data polled in the interim will be displayed in the Log Activity page as "Unknown log event" collected by "SIM Generic Log DSM-7".
• Check whether the configuration is correct - when "Save" is clicked a success message should appear.
• Check if Polling is Enabled under Settings > Data sub-tab.
• If the above did not resolve the problem, check the network on the QRadar host to confirm connectivity to Carbon Black Cloud.
• Check if Polling is Enabled under Settings > Data sub-tab.
• If the above did not resolve the problem, check the network on the QRadar host to confirm connectivity to Carbon Black Cloud.
• Use the full dashboard URL of your Carbon Black Cloud Console. Full detail on the URLs for each environment are available here.
• No, but to be able to use the full set of features of the app, like assigning Policies, performing Right-click Actions, viewing Device information and more, we recommend adding them. This includes Product URL, Org Key, "API" Type Credentials, "Custom" Type credentials.
• Enterprise EDR is required to get Watchlist Alerts. If the error
"error code 400 from API: "success":false,"message":"WATCHLIST alerts are not available for your organization"
is received then the toggle to enable Watchlist Alerts is enabled but the organization does not have Enterprise EDR.
• To prevent the error, navigate to Settings > Data and disable the Watchlist Alerts.
• Update your app. This issue was resolved in v2.1.0. of the app.
Note:This error is no longer raised. Even if you try to pull all alert types whatever is available will be returned.
• To prevent the error, navigate to Settings > Data and disable the Watchlist Alerts.
• Update your app. This issue was resolved in v2.1.0. of the app.
Note:This error is no longer raised. Even if you try to pull all alert types whatever is available will be returned.
• Check whether Coalescing Events option for your syslog log source is enabled and the Event Count for Alerts is larger than 1.
• You may be hitting the default 4096kb TCP Syslog max payload size. To remediate this, increase the payload as some alerts exceed 4k, which prevents them from being logged correctly in QRadar. A step-by-step guide is available here.
• Check if you are hitting your QRadar Event Processor System (EPS) licensed limit. Detailed information can be found on the IBM support page.
• Update your app. A known issue in v.2.0.0 was causing a small percentage of Alerts not to be logged. This issue was resolved in v.2.2.0 of the app.
• You may be hitting the default 4096kb TCP Syslog max payload size. To remediate this, increase the payload as some alerts exceed 4k, which prevents them from being logged correctly in QRadar. A step-by-step guide is available here.
• Check if you are hitting your QRadar Event Processor System (EPS) licensed limit. Detailed information can be found on the IBM support page.
• Update your app. A known issue in v.2.0.0 was causing a small percentage of Alerts not to be logged. This issue was resolved in v.2.2.0 of the app.
• The Save is active only if there are any changes to be saved.
App Errors
• Go to Carbon Black Cloud > Settings > Actions to configure a watchlist.
• Fill out information under Settings > App Configuration.
Although not required at the initial configuration of the app, once entered, the values under Settings > App Configuration cannot be empty. To remediate this:
• Enter the necessary values.
• Click the "Cancel" button to revert to the previous configuration.
• If the above options are not applicable in your situation, you can enter "bogus" values for the required fields.
• Enter the necessary values.
• Click the "Cancel" button to revert to the previous configuration.
• If the above options are not applicable in your situation, you can enter "bogus" values for the required fields.
• "HTTPS" is the secure version of "HTTP", which is the primary protocol used to send data between a web browser and a website. If you need to configure a "Product URL" for your app, it is a requirement to use the full address.
• Polling Interval determines how frequently to pull data from the Carbon Black Cloud, in seconds. The minimum value is 60 seconds, and the maximum value is 600. Either choose a value within those boundaries, or click "Cancel" to revert the changes.
Last modified on May 3, 2023