App for IBM QRadar - Release Notes
Version 2.2.0
New Features:
- Refresh of the user interface for configuration of the app
- New design and validations.
- When selecting Settings > Configuration requests are triggered to check the validity. If there is something wrong with the credentials, the
Device API
orAlerts API
at the current moment, validation errors will be shown.
- Update of admin privileges
- Carbon Black Cloud > Settings > Configuration is hidden behind admin previlleges.
- Everything else, including Devices Tab, is accessible without admin privileges.
- Two new right-click actions
Get Process Details
andView Alert
. This requires changes to the permissions on the custom API key. See What to do before Upgrade for details. - Use new Policy Service to pull policies. This requires changes to the permissions on the custom API key. See What to do before Upgrade for details.
- Added
Reset Configuration
andTest Configuration
functionalities. - Added
Custom Event Collector IP
input field underSettings
>App Configuration
to provide a way to configure Custom Event Collector. - Support for parsing additional fields for Watchlist Hits.
- Upgrade of the Python SDK version.
Bug Fixes:
- Fixes of the poll procedure.
- Remove redundant logging of proxy error when proxy is not enabled.
- Resending alerts when we have IO error.
- Added validation of query parameters for right-click actions.
- Upgrade few packages due to vulnerabilities.
Documentation Updates:
- Because of the major rewrite of the UI and some functionalities, we created a copy of the documentation to preserve previous user guides for anyone that is still using previous versions. However we highly recommend upgrading to the latest version.
What to do before Upgrade:
- Before you upgrade from 2.1.1 to 2.2.0 you need to go to Carbon Black UI and add two more permissions in your Custom Key:
- Policies (org.policies) - READ
- Events (org.search.events) - READ.
Version 2.1.1
- New way of validating API key.
- Upgrade of a few packages, which previous versions have reported vulnerabilities.
Version 2.1.0
Before you upgrade from 2.0.0 to 2.1.0
- You need to go to
Admin
>Custom Event Properties
search forProcess GUID
and delete all of the mapping manually.
New Features
- Multi-tenancy
- Ability to add custom Log Source Identifier
- Ability to toggle Audit Logs on or off
UI Changes
- Added
Log Source Identifier
input field underSettings
>App Configuration
- Added
Audit Logs
toggle underSettings
>Data
Detailed information and screenshots are available in the Installation & User Guide > App Upgrade section.
Resolved Issues
- The help tooltips on the Settings pages were displayed only on mouse-hover over the “?” icon.
- A small number of Alerts were not ingested into QRadar due to an app issue.
- “Product URL” under Settings > App Configuration was not handling trailing slash.
- Watchlist Alerts cannot be enabled if Enterprise EDR is not active. Enterprise EDR is required for receiving Watchlist Alerts.
Version 2.0.0
New Features
- Data Input - CB_ANALYTICS (Alerts)
- Data Input - DEVICE_CONTROL (Alerts)
- Data Input - WATCHLIST (Alerts)
- Data Input - Data Forwarder (Alerts and Endpoint.Events)
- Right-click action - Hash Ban
UI Changes
Admin
menu renamed toSettings
System Overview
menu renamed toDevices
Carbon Black Cloud App Configuration
menu renamed toApp Configuration
Admin
>Proxy Settings
menu moved toSettings
>App Configuration
Admin
>Misc Settings
>Polling
moved toSettings
>Data
Detailed information and screenshots are available in the Installation & User Guide > App Upgrade section.
Known Issues
- The Settings tab is bolded as active after Right-click action redirection from Log Activity > View Device when the active tab must be “Devices”. (fixed in v2.2.0)
- After the app upgrade from v1, the old log source will not pick up the new data (alerts, audit logs). Instead, a new log source needs to be created - either manually or via auto-detection.
- The help tooltips on the Settings pages are displayed only on mouse-hover over the “?” icon.
- Filled in values cannot be changed back to empty for the app configuration properties (Product URL, Org Key, API ID, API Secret Key, Proxy URL, Proxy Username, Proxy Password) (Reset Configuration button is added in v.2.2.0)
- Log Source Time is a
datetime
field that is mapped to different date formats depending on the type of alerts/events and the log source that is used. However, in some rare cases thedatetime
cannot be parsed correctly. Then, the time at which the event arrived at QRadar will be used. For example: device_timestamp = ‘2021-11-09 11:52:00 +0000 UTC’ cannot be parsed using the formatyyyy-MM-dd HH:mm:ss.SSS +0000 'UTC'
(missing milliseconds) while device_timestamp = ‘2021-11-09 11:52:00.1 +0000 UTC’ and device_timestamp = ‘2021-11-09 11:52:00.123 +0000 UTC’ are parsed correctly.
Version 1.0.0
- Initial Release