QRadar


The VMware Carbon Black EDR App for IBM QRadar lets administrators leverage an industry-leading, EDR (Endpoint Detection and Response) solution to detect risk and take action on endpoint activity from the QRadar console. With this app, you can access many of the powerful features of Carbon Black EDR, including process searches, endpoint isolation and system status alongside QRadar’s capabilities.

Download version 2.0.0 (released August 2021) from the IBM App Exchange.

Requirements

  • QRadar 7.3.3 Patch 6+ or 7.4.1 Patch 2+
    • QRadar 7.4.0 is not supported
  • Carbon Black EDR server, version 7.2 or above
    • The app can only connect to a single EDR cluster
  • Configured Log Source via API Keys and/or Data Forwarder to pull in desired data and enable right-click actions

Installation

Two components are needed to install and configure the QRadar App; the QRadar app and the VMware Carbon Black EDR Event Forwarder.

The Carbon Black Device Support Module (DSM) which translates the Carbon Black data into a format QRadar can index is packaged with QRadar. The IBM QRadar DSM guide has further details.

  1. Download the app from the IBM App Exchange
  2. Configure VMware Carbon Black EDR Event Forwarder – Allows data to be ingested into QRadar from Carbon Black
    • Optional, but recommended
    • The Event Forwarder can be configured to forward Carbon Black EDR events in LEEF format to a QRadar log collector appliance.
    • To forward Carbon Black EDR events to a QRadar server create a log source for the Carbon Black server.
    • See the IBM QRadar Log Sources User Guide for information on how to create a log source.
  3. Install the app following IBM installation instructions

Configuration

Once the VMware Carbon Black EDR app for IBM QRadar is installed, configure it to connect to your Carbon Black EDR server.

Note: The Carbon Black EDR app for IBM QRadar can only connect to one cluster, not multiple.

  • Navigate to the Admin tab of your QRadar server.
  • Scroll to the Plug-ins section at the bottom of the page.
  • Click the Carbon Black button.
  • Log into your Carbon Black EDR server to retrieve the API token for the user who will access the app.
    • Note: The user for this app must have Global Administrator privileges on the Carbon Black EDR server.
    • Log into the Carbon Black EDR server with the appropriate account.
    • In the top-right corner of the Carbon Black EDR console, select Username > My Profile.
    • On the My Profile page, click API Token in the left menu.
    • Copy the displayed API token.
  • Return to the VMware Carbon Black EDR app for IBM QRadar page and do the following:
    • Paste the API token into the Carbon Black API Token field.
    • Enter the URL for your Carbon Black EDR server instance in the Carbon Black Root URL field.
      • For example, enter: https://cbserver.mycompany.com
      • Note: Do not place a trailing slash (/) on this URL.
  • To test the configuration of the VMware Carbon Black EDR app for IBM QRadar after setting the URL and API token:
    • Click the Check Configuration button.
    • If the connection succeeds, a grey status bar appears that reads “Carbon Black EDR Server Responded”.
    • After the correct parameters are entered, click Set Configuration to save the new configuration.
    • A grey status bar will appear that reads “Carbon Black EDR Configuration Set Successfully”.

You will now be able to:

  • Access the Carbon Black EDR Dashboard via the Carbon Black EDR tab;
  • Add the Carbon Black Dashboard widget to the QRadar Dashboard; and
  • View the Offenses and Log Activity context menus.

Troubleshooting

If an error occurs, check the debug logs for details on resolving the error. Access the debug logs under the Carbon Black EDR tab by clicking the Admin tab, and then select Debug Logs. This displays the most recent error messages.

Support and Resources

  • View all API and integration offerings on the Developer Network along with reference documentation, video tutorials, and how-to guides.
  • Use the Developer Community Forum to discuss issues and get answers from other API developers in the VMware Carbon Black Community.
  • Report bugs and change requests to Carbon Black Support
Last modified on September 20, 2021