App for IBM QRadar - Release Notes



Version 2.1.0

Before you upgrade from 2.0.0 to 2.1.0

  • You need to go to Admin > Custom Event Properties search for Process GUID and delete all of the mapping manually.

New Features

  • Multi-tenancy
  • Ability to add custom Log Source Identifier
  • Ability to toggle Audit Logs on or off

UI Changes

  • Added Log Source Identifier input field under Settings > App Configuration
  • Added Audit Logs toggle under Settings > Data

Detailed information and screenshots are available in the Installation & User Guide > App Upgrade section.

Resolved Issues

  • The help tooltips on the Settings pages were displayed only on mouse-hover over the “?” icon.
  • A small number of Alerts were not ingested into QRadar due to an app issue.
  • “Product URL” under Settings > App Configuration was not handling trailing slash.
  • Watchlist Alerts cannot be enabled if Enterprise EDR is not active. Enterprise EDR is required for receiving Watchlist Alerts.

Version 2.0.0

New Features

  • Data Input - CB_ANALYTICS (Alerts)
  • Data Input - DEVICE_CONTROL (Alerts)
  • Data Input - WATCHLIST (Alerts)
  • Data Input - Data Forwarder (Alerts and Endpoint.Events)
  • Right-click action - Hash Ban

UI Changes

  • Admin menu renamed to Settings
  • System Overview menu renamed to Devices
  • Carbon Black Cloud App Configuration menu renamed to App Configuration
  • Admin > Proxy Settings menu moved to Settings > App Configuration
  • Admin > Misc Settings > Polling moved to Settings > Data

Detailed information and screenshots are available in the Installation & User Guide > App Upgrade section.

Known Issues

  • The Settings tab is bolded as active after Right-click action redirection from Log Activity > View Device when the active tab must be “Devices”.
  • After the app upgrade from v1, the old log source will not pick up the new data (alerts, audit logs). Instead, a new log source needs to be created - either manually or via auto-detection.
  • The help tooltips on the Settings pages are displayed only on mouse-hover over the “?” icon.
  • Filled in values cannot be changed back to empty for the app configuration properties (Product URL, Org Key, API ID, API Secret Key, Proxy URL, Proxy Username, Proxy Password)
  • Log Source Time is a datetime field that is mapped to different date formats depending on the type of alerts/events and the log source that is used. However, in some rare cases the datetime cannot be parsed correctly. Then, the time at which the event arrived at QRadar will be used. For example: device_timestamp = ‘2021-11-09 11:52:00 +0000 UTC’ cannot be parsed using the format yyyy-MM-dd HH:mm:ss.SSS +0000 'UTC' (missing milliseconds) while device_timestamp = ‘2021-11-09 11:52:00.1 +0000 UTC’ and device_timestamp = ‘2021-11-09 11:52:00.123 +0000 UTC’ are parsed correctly.

Version 1.0.0

  • Initial Release
Last modified on May 17, 2022