App for IBM QRadar - Installation & User Guide v2.3.0
Requirements
- Access to Carbon Black Cloud
- IBM QRadar version 7.5.0 update pack 3 or later
Quick Links
- Installing & Configuring the App
- Download the app
- Release Notes
- Troubleshooting
- Information on Previous Versions
Getting Started
This guide describes:
- How to choose and set up the appropriate log source(s) for your VMware Carbon Black Cloud app for IBM QRadar
- Steps to install and configure different settings in the app
- Various pages and actions you can use once it is configured
Log Source
The app offers two log source input options or methods of data ingestion. Each method supports different types of data. To access all types of data, you need to use a combination of Built-in input and Data Forwarder input. To use additional features such as Device information and Right-click actions, you need to configure the app as described below.
Built-in API Input
This method of data ingestion uses VMware Carbon Black Cloud REST APIs to pull data into QRadar.
Supported data and features:
Requirements:
For customers with Identity managed in Carbon Black Cloud:
- “Custom” Type Key and ID (for all data inputs and right-click Actions)
For customers with Identity managed in VMware Cloud Services Platform:
- OAuth App granted a custom role with the necessary permissions (for all data inputs and right-click Actions)
See Authentication for more information.
Pros:
- Available out of the box without the need to configure an AWS S3 bucket
Cons:
- Container Memory Limit - A combination of high bursts of Alerts for extended periods and low physical memory on the app container can cause memory overload. As discussed in this thread, the memory is limited to 10% of the system’s physical memory. This can cause delays in Alert and general data processing. If you experience such symptoms, consider using the Data Forwarder input.
Setup Built-in Input
Follow the steps below to create API Keys with the appropriate permissions and configure the Log Source Type to start pulling in Carbon Black Cloud data.
1. Open your Carbon Black Cloud console, go to Settings > API Access, select "Access Levels" and click "+ Add Access Level".
2. Fill in the "Name" and "Description" fields, grant the new Access Level with the following RBAC permissions and click Save.
Alerts (org.alerts) - READ
Alerts (org.alerts.close) - EXECUTE
Applications (org.reputations) - CREATE, READ
Audit Logs (org.audits) - READ (new for v.2.2.0)
Background Tasks (jobs.status) - READ (new for v.2.3.0)
Custom Detections (org.watchlists) - CREATE, READ, UPDATE, DELETE
Device (device.quarantine) - EXECUTE
Device (device.bypass) - EXECUTE
Device (device) - READ
Device (device.policy) - UPDATE
Device (device.bg-scan) - EXECUTE
Events (org.search.events) - CREATE, READ (new for v.2.2.0)
Policies (org.policies) - READ (new for v.2.2.0)
Unified Binary Store (ubs.org.sha256) - READ
3. Go to the "API Keys" tab and click "+ Add API Key".
4. Enter a "Name", click on the "Access Level type" dropdown, select "Custom", click on the "Custom Access Level" dropdown and select the level you created in step 2, then click Save.
5. Copy the API Secret Key and API ID from the pop-up modal (store the API Secret Key, because it cannot be retrieved after initial creation) and open the QRadar console.
6. Go to Carbon Black Cloud > Settings > Configuration.
7. Add the API ID and API Secret Key to their respective "Custom Type" fields and click Save.
1. Open your QRadar console and navigate to Admin > DSM Editor.
2. In the popup window, search for "Carbon Black Cloud" and click select.
3. Select the "Configuration" tab, toggle on the "Enable Log Source Autodetection" option and click "Show Advanced Options".
4. Select a value for "Minimum Successful Events for Autodetection" - we recommend a lower number for this field. Click Save and close the DSM Editor.
Optional: You can pick a custom name for the Log Source by editing the Log Source Name Template value. The default Log Source name is CarbonBlackCloudCustom @ localhost.
Note: If the Log Source is created automatically this means that Coalescing Events option is enabled. Coalescing Events means that when a log source emits multiple events which are very similar to one another in a short time span, they'll be aggregated together. The event count of the single event will reflect the number of events have been aggregated. This is good to be enabled to reduce storage cost of events. Disable if you want separate event in QRadar for each alert.
If the autodetection and creation of the Log Source fails for some reason, you can manually create a Log Source following the steps described in Additional Guides > Create Syslog Log Source.
Data Forwarder Input
This method of data ingestion is recommended when you have a high volume or significant bursts of data as it provides higher scalability. The Data Forwarder streams the data to an AWS S3 bucket and then it is pulled into QRadar via the Amazon AWS REST API Protocol. Use the data forwarder input in conjunction with the built-in API input to access the full features of the app.
Supported data and features:
Requirements:
- Data Forwarder(s) configured in Carbon Black Cloud
- Amazon AWS S3 REST API Protocol for QRadar updated to the latest version
Pros:
- Streams data into an AWS S3 bucket at scale
Cons:
- Requires configuration of an AWS S3 bucket
Setup Data Forwarder Input
To use a Data Forwarder input, you will need:
- AWS S3 bucket
- AWS SQS queue
- Management Access Policy and User
- Carbon Black Cloud Data Forwarder(s)
- Log Source in QRadar
Note: For each data type (Alerts and Events), you will need a separate Data Forwarder in Carbon Black Cloud.
Note: You can configure more than one forwarder of either type if you have complex filtering needs.2. Configure the Bucket Policy to Allow Access
3. Create Management Access Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"sqs:GetQueueUrl",
"sqs:DeleteMessage",
"sqs:SendMessageBatch",
"sqs:ReceiveMessage",
"sqs:SendMessage"
],
"Resource": [
"arn:aws:sqs:<aws-region>:535601802221:<name-of-queue>",
"arn:aws:s3:::<name-of-s3-bucket>/*"
]
}
]
}
4. Create a user that uses that policy, check Programmatic Access that would generate Access Key ID and Secret Access Key.
5. Save the generated Access Key ID and Secret Access Key.
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__sender_statement",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "SQS:SendMessage",
"Resource": "arn:aws:sqs:<aws-region>:535601802221:<name-of-queue>",
"Condition": {
"ForAllValues:ArnEquals": {
"aws:SourceArn": "arn:aws:s3:::<name-of-s3-bucket>"
}
}
}
]
}
2. Configure the Event Notification in the S3 bucket to use this queue - navigate to Properties > Event Notifications and set for Destination SQS queue the arn of the new queue.
Note: If you need to reload older events and are using SQS to pull buckets, the events will not be available in the queue once they are retrieved. To view historical events or reload data, use the generic S3 option or copy the events to another prefix to copy it to the queue.
For more detailed instructions on setting up a Data Forwarder using the APIs, see the following:
• Step-by-step guide
• Data Forwarder video tutorial
Note: The same forwarder cannot be used for both Alerts and Events. Create a separate forwarder for each type of data you want to forward.
Note: If you use the Data Forwarder to ingest alert data, do not enable any of the built-in alert types under Settings > Data, otherwise you will get duplicate alerts in QRadar. Note: For Alert Forwarder, make sure you select v2 schema!
2. In the popup window, click "Log Sources".
3. Click the "+New Log Source" button.
4. Select "Single Log Source".
5. In the search field, enter "Carbon Black Cloud" and select it, then click "Step2: Select Protocol Type".
6. In the search field, enter "Amazon AWS S3 REST API" and select it, then click "Step3: Configure Log Source Parameters".
7. Click "Enable", configure the rest of the Log Source Parameters, then click "Step4: Configure Protocol Parameters":
Name - Choose a name for the log source. Note: Pick a different name from the built-in log source 'CarbonBlackCloudCustom' as you will have difficulties filtering events based on log source name.
Note: The default value for Coalescing Events is enabled. If this option is enabled, this means that when a log source emits multiple events which are very similar to one another in a short time span, they'll be aggregated together. The event count of the single event will reflect the number of events have been aggregated. This is good to be enabled to reduce storage cost of events. Disable if you want separate event in QRadar for each alert.
8. Configure the Protocol Parameters:
Log Source identifier - Choose a name for your Log Source
Authentication Method - Access Key ID / Secret Key
Access Key ID and Secret Key - The Access Key and ID required to access the AWS S3 Bucket
S3 Collection Method - SQS Event Notification
SQS Queue URL - URL to the queue - can be copied from AWS Management Console
Region Name - Same as the S3 bucket
Event Format - LINEBYLINE - Data Forwarder generates jsonl file
9. Click "Start Test" to verify the configuration, or "Skip Test and Finish".
10. Click "Deploy Changes" in the notification pop-up under the Admin tab for the changes to take effect.
Installation and Configuration
Install the Carbon Black Cloud app for IBM QRadar via the IBM X-Force Security App Exchange.
1. Open your Carbon Black Cloud console and copy its URL(including the "https://"), and ORG KEY.
2. Open the QRadar console, go to Carbon Black Cloud > Settings > Configuration and paste the URL and ORG KEY in their respective fields.
3. If you have not filled in the API Credentials in the Configuration page, do so as explained in the Built-in Input > Keys and Permissions section and click Save.
4. OPTIONAL - If you use a proxy, add your Proxy URL(the format is as follows: [http/https]://[ip/hostname]:[port]), Username, and Password under the "Proxy Settings" section, enable the proxy toggle and click Save.
5. OPTIONAL - Enter a custom name for the "Log Source Identifier".
Important: Before entering a custom name, you need to create a Custom Log Source, then enter the "Log Source Identifier" from it under Settings > Configuration > Log Source Identifier. To learn how to create a Syslog Log Source, click here.
6. OPTIONAL - If you have more complicated setup of QRadar with the App running on a dedicated Apphost, please enter the QRadar Console IP or hostname (or an external Event Collector IP or hostname) for the "Custom Event Collector IP". If not, please leave it empty.
Note: If you are ingesting Alerts, we recommend that you increase the TCP Syslog max payload size of your QRadar app. More information and instructions are available here.
7. Upon clicking Save button, the configuration is validated to show you the current status of your configuration. If the configuration is invalid a pop-up is shown with details about the validation error and with the option to still save the invalid config. A green message is shown in the right upper corner if the configuration is valid.
Note: Each time you land on Carbon Black Cloud > Settings > Configuration configuration validation is triggered to show you the current status of your configuration.
Note: Admin users can reset the configuration (the configuration is reset to the default config used for fresh install) and test the config at any moment using the buttons Reset Configuration and Test Configuration.
If you encounter any errors or need additional information, check out the Troubleshooting page.
1. In the Carbon Black Cloud app, navigate to Settings > Data.
2. Under Polling, toggle the 'Polling Status' switch to 'Enabled'. Once enabled, Contact' displays the last time the app polled VMware Carbon Black Cloud for data.
3. By default, the app is set to poll Carbon Black Cloud for data at an interval of 180 seconds (3 minutes). You can change the interval by entering another value between 60 and 600 seconds.
4. Click Save when you finish editing your Polling and other Data settings.
If you stream alerts in via Data Forwarder, do not enable any of the alert types, otherwise you will receive duplicates. You will need a user with admin privileges in order to configure the Alert data.
Note: If you are ingesting alerts via the Built-in API Input(Syslog), we strongly recommend increasing QRadar's Max TCP payload size. Due to its low default value, the app may not ingest some Alerts correctly. A step-by-step guide is available here.
1. In the Carbon Black Cloud app, navigate to Settings > Data.
2. Under 'Alerts', you can configure the following:
Minimum Alert Severity - control the severity of the alerts being pulled in. For example, choosing '4' will pull alerts with a severity of 4 or higher.
CB Analytics Alerts - change the switch to 'Enabled' to bring in CB_ANALYTICS alerts. Requires Endpoint Standard.
Container Runtime Alerts - change the switch to 'Enabled' to bring in CONTAINER_RUNTIME alerts. Requires Container Security.
Device Control Alerts - change the switch to 'Enabled' to bring in DEVICE_CONTROL alerts. Requires Endpoint Standard.
Host Based Firewall Alerts - change the switch to 'Enabled' to bring in HOST_BASED_FIREWALL alerts. Requires Endpoint Standard Host-Based Firewall add-on.
Intrusion Detection Systems Alerts - change the switch to 'Enabled' to bring in INTRUSION_DETECTION_SYSTEM alerts. Requires XDR extension to Enterprise EDR.
Watchlist Alerts - change the switch to 'Enabled' to bring in WATCHLIST alerts. Requires Enterprise EDR.
3. In the 'Audit Logs' section, you can enable or disable ingesting Audit Logs.
4. Click Save when you finish editing your Data settings.
1. In the Carbon Black Cloud app, navigate to Settings > Actions.
2. In the 'Watchlist Name' input, enter the name of the watchlist in the VMware Carbon Black Cloud console where you want to send IOCs.
3. In the 'Report Prefix', enter a prefix to the watchlist report. This is the report where you will find IOCs added from the app in the Carbon Black Cloud console.
4. In the 'Report Severity' dropdown, select the severity that you want to apply to the report created in the watchlist.
Note: Watchlist actions require Enterprise EDR
Using the App
Log Activity Tab
Use the Log Activity tab to view data pulled from the Carbon Black Cloud. The table below lists the different types of data you can access from this page.
Data Type | Use Case | More Information |
---|---|---|
Alerts | Alerts indicate suspicious behavior and known threats in your environment and provide details on the events that led to an alert. Details include metadata about the alert and a list of all the events associated with the alert. | Learn more about the feature or go to the API documentation |
Audit Logs | Use the Audit Logs to review actions performed by Carbon Black Cloud users, such as log-in attempts, updates to connectors, creation of connectors, liveResponse events, and more. | Learn more about the feature or go to the API documentation |
Events | Provides overview of endpoint events from the Carbon Black Cloud appliance. | Get the full list of field descriptions |
View Device Information
The Devices sub-tab in the Carbon Black Cloud app provides an overview of the active devices reporting event data to the Carbon Black Cloud. View information like OS version, active policy, sensor version and more. You can also use this page to update the policy applied to a device.
To use this feature, you must configure the following fields on the Settings > Configuration page: Product URL
, Org Key
, Custom Type Credentials
.
You do not need a user with admin privileges in order to access the Devices tab.
The 'Query Devices' search field can be used to narrow the list of devices. It supports key-value and value-only-based search. The value-based search will look for the desired keyword in all parameters.
Supported keys are: status, os, last_external_ip_address, last_internal_ip_address, name. Multiple space-separated values can be queried within a single search.
Example: 'last_external_ip_address:10.10.10.10' or '10.10.10.10'.
Device Details
To access details about each sensor's configuration, click the 'Device' name on each row.
Change Device Security Policy
To change the security policy applied to the device, click the Policy dropdown and select the desired policy from the list. A dialogue box will open to confirm the change. Click Ok to verify the change. It may take a few minutes for the change to be applied throughout both systems.
Learn more about the Devices API here.
Mapping Carbon Black Cloud Data
The “Carbon Black Cloud” Log Source Type normalizes Carbon Black Cloud data into a format that QRadar can index. The table below provides the full CBC to QRadar field mapping.
QRadar Field | CBC Field |
---|---|
Action | action | Additional Events Present | additional_events_present |
Alert Blocked Threat Category | blocked_threat_category |
Alert C2 Involved | threat_activity_c2 |
Alert Category | category |
Alert DLP Involved | threat_activity_dlp |
Alert First Event Time | first_event_time |
Alert ID | id, alert_id |
Alert Last Event Time | last_event_time |
Alert Last Update Time | last_update_time |
Alert Not Blocked Threat Category | not_blocked_threat_category |
Alert Notes Present | notes_present |
Alert Phishing Involved | threat_activity_phish |
Alert Policy Applied | policy_applied |
Alert Reason Code | reason_code |
Alert Status | status |
Alert Tags | tags |
Alert Threat Cause Actor Name | threat_cause_actor_name |
Alert Threat Cause Category | threat_cause_threat_category |
Alert Threat Caused By Event ID | threat_cause_cause_event_id |
Alert Threat Cause Reputation | threat_cause_reputation |
Alert Threat Cause Vector | threat_cause_vector |
Alert Threat Notes Present | threat_notes_present |
Alert URL | alert_url |
API Call | crossproc_api |
Attack Tactic | attack_tactic |
Attack Technique | attack_technique |
Audit Log Event Timestamp | eventTime |
Audit Log Flagged | flagged |
Backend Timestamp | backend_timestamp |
Backend Update Timestamp | backend_update_timestamp |
Blocked Effective Reputation | blocked_effective_reputation |
Blocked MD5 | blocked_md5 |
Blocked Name | blocked_name |
Blocked SHA256 | blocked_sha256 |
CBC Event Count | scriptload_count, modload_count |
Child Process Command Line | childproc_cmdline |
Cluster Name | cluster_name,k8s_cluster |
Cluster Policy ID | k8s_policy_id |
Command Line | process_cmdline |
Connection Type | connection_type |
Cross-process Event Target | crossproc_target |
Date Time | backend_timestamp, create_time, syslog_create_time |
Destination FQDN | netconn_domain |
Destination IP | remote_ip,netconn_remote_ip |
Destination MAC | [no field specified] |
Destination Port | remote_port,netconn_remote_port |
Determination Changed By | determination_changed_by |
Determination Changed By Type | determination_changed_by_type |
Determination Change Timestamp | determination_change_timestamp |
Determination Value | determination_value |
Device Group | device_group |
Device ID | device_id |
Device Name | device_name |
Device Priority | target_value |
Device Timestamp | device_timestamp |
Device UEM ID | device_uem_id |
Duration Seconds | process_duration |
Egress Group ID | egress_group_id |
Egress Group Name | egress_group_name |
Event Category | severity, type, cat |
Egress Group ID | egress_group_id |
Egress Group Name | egress_group_name |
Event ID | type, cat |
Event ID (custom) | created_by_event_id, eventId, event_id |
Event Origin | event_origin |
Event Summary | event_description, description, reason |
File Hash | filemod_hash[1], modload_hash[1], scriptload_hash[1], fileless_scriptload_hash[1], modload_sha256 |
Fileless Script Load Command Line | fileless_scriptload_cmdline |
File Path | filemod_name, regmod_name, modload_name, scriptload_name |
First Event Timestamp | first_event_timestamp |
Identity Extended Field | [no field specified] |
Identity Group Name | device_group |
Identity Host Name | device_name |
Identity IP | device_internal_ip |
Identity IPv6 | [no field specified] |
Identity MAC | [no field specified] |
Identity Net BIOS Name | [no field specified] |
IOC Field | ioc_field |
IOC ID | ioc_id |
IOC Value | ioc_hit |
IP Reputation | ip_reputation |
IPv6 Destination | netconn_remote_ipv6 |
IPv6 Source | netconn_local_ipv6 |
Is Updated | is_updated |
Legacy Alert ID | legacy_alert_id |
Location | device_location |
Log Source Time | create_time - yyyy-MM-dd'T'HH:mm:ss'Z', eventTime - yyyy-MM-dd'T'HH:mm:ss'Z', syslog_create_time - yyyy-MM-dd'T'HH:mm:ss.SSS'Z', device_timestamp - yyyy-MM-dd HH:mm:ss.SSS +0000 'UTC' |
MDR Determination Change Timestamp | mdr_determination_change_timestamp |
MDR Determination Value | mdr_determination_value |
MDR Workflow Change Timestamp | mdr_workflow_change_timestamp |
MDR Workflow Is Assigned | mdr_workflow_is_assigned |
MDR Workflow Status | mdr_workflow_status |
Minimum Severity | minimum_severity |
ML Classification Final Verdict | ml_classification_final_verdict |
ML Classification Global Prevalence | ml_classification_global_prevalence |
ML Classification Org Prevalence | ml_classification_org_prevalence |
Namespace | namespace |
Network Connection Inbound | netconn_inbound |
Network Protocol | netconn_protocol, protocol |
Organisation Name | orgName |
Org Key | org_key |
Organisation Name | orgName |
OS Name | device_os |
OS Version | device_os_version |
Parent Command | parent_cmdline |
Parent Effective Reputation | parent_effective_reputation |
Parent GUID | parent_guid, threat_cause_parent_guid |
Parent Hash | parent_hash[1] |
Parent Path | parent_path |
Parent Process ID | parent_pid |
Parent Process Reputation | parent_reputation |
Parent Publisher Content | parent_publisher[] |
Parent Username | parent_username |
Pod Name | k8s_pod_name |
Policy ID | policy_id |
Policy Name | policy_name |
Post NAT Destination IP | [no field specified] |
Post NAT Destination Port | [no field specified] |
Post NAT Source IP | device_external_ip |
Post NAT Source Port | [no field specified] |
Pre NAT Destination IP | [no field specified] |
Pre NAT Destination Port | [no field specified] |
Pre NAT Source IP | device_internal_ip |
Pre NAT Source Port | [no field specified] |
Primary Event ID | primary_event_id |
Process Effective Reputation | process_effective_reputation |
Process Fork PID | process_fork_pid |
Process GUID | process_guid, threat_cause_process_guid |
Process Hash | threat_cause_actor_sha256, process_hash[1] |
Process ID | threat_cause_actor_process_pid, process_pid |
Process Issuer | process_issuer |
Process Name | process_name |
Process Path | process_path |
Process Publisher Content | process_publisher[] |
Process Reputation | process_reputation |
Process Terminated | process_terminated |
Protocol | netconn_protocol |
Proxy Hostname | netconn_proxy_domain |
Proxy IP | netconn_proxy_ip |
Proxy Port | netconn_proxy_port |
Remote Domain | remote_domain |
Remote Is Private | remote_is_private |
Remote Namespace | remote_namespace, remote_k8s_namespace |
Remote Pod Name | remote_k8s_pod_name |
Remote Replicate ID | remote_replica_id |
Remote Workload ID | remote_workload_id |
Remote Workload Kind | remote_workload_kind |
Remote Workload Name | remote_workload_name |
Replica ID | replica_id |
Report ID | report_id |
Report Link | report_link |
Report Name | report_name |
Report Tags | report_tags[] |
Rule Category ID | rule_category_id |
Rule Config Category | rule_config_category |
Rule ID | rule_id |
Rule Name | rule_name |
Run State | run_state |
Sensor Action | sensor_action |
Source IP | local_ip, clientIp |
Source MAC | [no field specified] |
Source Port | local_port |
Target Command Line | target_cmdline |
Target GUID | childproc_guid, crossproc_guid |
Target Hash | childproc_hash[1], crossproc_hash[1], fileless_scriptload_hash[1], scriptload_hash[1] |
Target Name | crossproc_name, childproc_name |
Target Process ID | childproc_pid |
Target Reputation | crossproc_reputation, childproc_reputation, modload_effective_reputation |
Target Username | childproc_username, crossproc_username |
Threat ID | threat_id |
Threat Indicators | threat_indicators |
Threat Name | threat_name |
Threat Severity | threat_severity |
TMS Rule ID | tms_rule_id |
TTPs | ttps |
USB Device Friendly Name | external_device_friendly_name |
USB Product ID | product_id |
USB Product Name | product_name |
USB Serial Number | serial_number |
Username | process_username, device_username, loginName |
User Update Timestamp | user_update_timestamp |
Vendor ID | vendor_id |
Vendor Name | vendor_name |
Workflow Changed By | workflow_changed_by |
Workflow Changed By Type | workflow_changed_by_type |
Workflow Change Timestamp | workflow_change_timestamp |
Workflow Closure Reason | workflow_closure_reason |
Workflow Status | workflow_status |
Watchlists Content | watchlists[] |
Workload ID | workload_id |
Workload Kind | workload_kind |
Workload Name | workload_name |
Right-Click Actions
Access the following actions by right-clicking certain columns in the “Log Activity” page. Each action may require additional configuration in the Carbon Black Cloud app under Settings > Configuration or Settings > Actions. Details and requirements are listed below for each of the actions.
Note: Some right-click actions are available from “Custom” columns which are not displayed by default. Read below on how to add a custom column.
Data type | Description | Available on columns | Requirements |
---|---|---|---|
Add or remove IOC from watchlist | Add or remove specified IOC(s) to/from a specified report in a watchlist (may take a few minutes to apply across both systems). | All IP/Port columns File Hash (custom), Parent Hash (custom), Process Hash (custom), Target Hash (custom), | Custom-type credentials, Org key, Product URL, Report prefix, Watchlist name |
Ban process hash | Prevents a sha256 hash from being executed in Carbon Black Cloud. | File Hash (custom), Process Hash (custom), Parent Hash (custom), Target Hash (custom) |
Custom-type credentials, Org key, Product URL |
Carbon Black Cloud Investigate - Observations | Redirects you to the Carbon Black Cloud console “Investigate” page and filters observations by the selected event id. | Event ID (custom) |
Product URL, Carbon Black Cloud access |
Carbon Black Cloud Search - Devices | Redirects you to the Carbon Black Cloud console "Inventory > Endpoints" or "Inventory > VM Workload" page and filters devices by the specified criteria. | All IP columns, Device ID (custom) |
Product URL, Carbon Black Cloud access |
Dismiss alert | Dismisses the specified alert in Carbon Black Cloud. | Alert ID (custom) |
Custom Type Credentials, Org Key, Product URL |
Enable or disable bypass | Enable or disable all policy enforcement on the device and enable/disable sending data from the sensor to the Carbon Black Cloud. | Device ID (custom) |
Custom Type Credentials, Org Key, Product URL |
Get Process Details (new for v.2.2.0) | Creates a pop-up that displays the information for the process. | Process GUID (custom) |
Custom Type Credentials, Org Key, Product URL |
Quarantine or unquarantine a device | Quarantines or unquarantines the specified device. When quarantined, it prevents suspicious activity and malware from affecting the rest of your network. The device can only communicate with Carbon Black Cloud until unquarantined. | Device ID (custom) |
Custom Type Credentials, Org Key, Product URL |
Search observations by this IP on Carbon Black Cloud | Redirects you to the Carbon Black Cloud console "Investigate" page and filters observations by the selected IP address. | All IP columns |
Product URL, Carbon Black Cloud access |
View Alert (new for v.2.2.0) | Redirects you to the Carbon Black Cloud console "Investigate" tab with a search query that matches the provided event ID. | Alert ID (custom) |
Custom Type Credentials, Org Key, Product URL |
View device | Redirects you to the app's Devices tab and filters devices by the specified criteria. |
Device ID (custom), All IP columns |
Custom Type Credentials, Org Key, Product URL |
Add a Custom Column
The steps below explain how to add a custom column for accessing right-click actions in the “Log Activity” page.
1. Open your QRadar console, navigate to the "Log Activity" page, click "Search", then "Edit Search".
2. Scroll down to the "Column Definition" section and type or find the desired column. Select it, then click the arrow button to add it, and finally click "Search".
3. The new column will now be available in the Log Activity page.
Viewing App Logs
The app lives in a docker container with its own logs separate from QRadar. For specific app issues (can’t connect, specific app broken etc), log into the shell for each app container to inspect the logs. | For details about logging, go to IBM’s Troubleshooting Guide.
Additional Guides
Create Syslog Log Source
1. Open your QRadar console and navigate to Admin > QRadar Log Source Management.
2. In the popup window, click "Log Sources".
3. Click "+New Log Source" button.
4. Select "Single Log Source".
5. In the search field, enter "Carbon Black Cloud" and select it, then click "Step2: Select Protocol Type".
6. In the search field, enter "Syslog" and select it, then click "Step3: Configure Log Source Parameters".
7. Enter a unique "Name" and optionally you can change any of the predefined parameters per your needs.
Note: The default value for Coalescing Events is enabled. If this option is enabled, this means that when a log source emits multiple events which are very similar to one another in a short time span, they'll be aggregated together. The event count of the single event will reflect the number of events have been aggregated. This is good to be enabled to reduce storage cost of events. Disable if you want separate event in QRadar for each alert.
8. Click "Step4: Configure Protocol Parameters":
9. Enter a unique "Log Source Identifier" and click "Finish".
10. Click "Deploy Changes" in the notification pop-up under the Admin tab for the changes to take effect.
11. Enter the "Log Source Identifier" name from step 9. in Settings > Configuration.
Increase TCP Syslog max payload size
1. Open your QRadar console and navigate to Admin > System Settings.
2. Click "Switch to: Advanced" button.
3. Find "Max TCP Syslog Payload Length", increase its value to the recommended 32000, then click "Save".
Multi-Tenancy
Multitenant environments allow Managed Security Service Providers (MSSPs) and multi-divisional organizations to provide security services to multiple client organizations from a single, shared IBM® QRadar® deployment. You don't have to deploy a unique QRadar instance for each customer.
In a multitenant deployment, you ensure that customers see only their data by creating domains based on their QRadar input sources. Then, use security profiles and user roles to manage privileges for large groups of users within the environment. Security profiles and user roles ensure that users have access to only the information they are authorized to see.
To learn how to set up your multitenant environment, follow IBM's Multitenant management.
Last modified on July 17, 2024