App for IBM QRadar - Installation & User Guide v2.3.0



Requirements

  • Access to Carbon Black Cloud
  • IBM QRadar version 7.5.0 update pack 3 or later

Quick Links



Getting Started

This guide describes:

  • How to choose and set up the appropriate log source(s) for your VMware Carbon Black Cloud app for IBM QRadar
  • Steps to install and configure different settings in the app
  • Various pages and actions you can use once it is configured

Log Source

The app offers two log source input options or methods of data ingestion. Each method supports different types of data. To access all types of data, you need to use a combination of Built-in input and Data Forwarder input. To use additional features such as Device information and Right-click actions, you need to configure the app as described below.


Built-in API Input

This method of data ingestion uses VMware Carbon Black Cloud REST APIs to pull data into QRadar.

Supported data and features:

Requirements:

For customers with Identity managed in Carbon Black Cloud:

  • “Custom” Type Key and ID (for all data inputs and right-click Actions)

For customers with Identity managed in VMware Cloud Services Platform:

  • OAuth App granted a custom role with the necessary permissions (for all data inputs and right-click Actions)

See Authentication for more information.

Pros:

  • Available out of the box without the need to configure an AWS S3 bucket

Cons:

  • Container Memory Limit - A combination of high bursts of Alerts for extended periods and low physical memory on the app container can cause memory overload. As discussed in this thread, the memory is limited to 10% of the system’s physical memory. This can cause delays in Alert and general data processing. If you experience such symptoms, consider using the Data Forwarder input.

Setup Built-in Input

Follow the steps below to create API Keys with the appropriate permissions and configure the Log Source Type to start pulling in Carbon Black Cloud data.

'Custom' Type Credentials


1. Open your Carbon Black Cloud console, go to Settings > API Access, select "Access Levels" and click "+ Add Access Level".

2. Fill in the "Name" and "Description" fields, grant the new Access Level with the following RBAC permissions and click Save.

Alerts (org.alerts) - READ
Alerts (org.alerts.close) - EXECUTE
Applications (org.reputations) - CREATE, READ
Audit Logs (org.audits) - READ (new for v.2.2.0)
Background Tasks (jobs.status) - READ (new for v.2.3.0)
Custom Detections (org.watchlists) - CREATE, READ, UPDATE, DELETE
Device (device.quarantine) - EXECUTE
Device (device.bypass) - EXECUTE
Device (device) - READ
Device (device.policy) - UPDATE
Device (device.bg-scan) - EXECUTE
Events (org.search.events) - CREATE, READ (new for v.2.2.0)
Policies (org.policies) - READ (new for v.2.2.0)
Unified Binary Store (ubs.org.sha256) - READ

3. Go to the "API Keys" tab and click "+ Add API Key".

4. Enter a "Name", click on the "Access Level type" dropdown, select "Custom", click on the "Custom Access Level" dropdown and select the level you created in step 2, then click Save.

5. Copy the API Secret Key and API ID from the pop-up modal (store the API Secret Key, because it cannot be retrieved after initial creation) and open the QRadar console.

6. Go to Carbon Black Cloud > Settings > Configuration.

7. Add the API ID and API Secret Key to their respective "Custom Type" fields and click Save.

1.
2.
3.
4.
5.
6.
7.

1. Open your QRadar console and navigate to Admin > DSM Editor.

2. In the popup window, search for "Carbon Black Cloud" and click select.

3. Select the "Configuration" tab, toggle on the "Enable Log Source Autodetection" option and click "Show Advanced Options".

4. Select a value for "Minimum Successful Events for Autodetection" - we recommend a lower number for this field. Click Save and close the DSM Editor.

Optional: You can pick a custom name for the Log Source by editing the Log Source Name Template value. The default Log Source name is CarbonBlackCloudCustom @ localhost.

Note: If the Log Source is created automatically this means that Coalescing Events option is enabled. Coalescing Events means that when a log source emits multiple events which are very similar to one another in a short time span, they'll be aggregated together. The event count of the single event will reflect the number of events have been aggregated. This is good to be enabled to reduce storage cost of events. Disable if you want separate event in QRadar for each alert.

1.
2.
3.
4.

If you encounter any errors or need additional information, check out the Troubleshooting page.

If the autodetection and creation of the Log Source fails for some reason, you can manually create a Log Source following the steps described in Additional Guides > Create Syslog Log Source.

Data Forwarder Input

This method of data ingestion is recommended when you have a high volume or significant bursts of data as it provides higher scalability. The Data Forwarder streams the data to an AWS S3 bucket and then it is pulled into QRadar via the Amazon AWS REST API Protocol. Use the data forwarder input in conjunction with the built-in API input to access the full features of the app.

Supported data and features:

Requirements:

  • Data Forwarder(s) configured in Carbon Black Cloud
  • Amazon AWS S3 REST API Protocol for QRadar updated to the latest version

Pros:

  • Streams data into an AWS S3 bucket at scale

Cons:

  • Requires configuration of an AWS S3 bucket

Setup Data Forwarder Input

To use a Data Forwarder input, you will need:

  • AWS S3 bucket
  • AWS SQS queue
  • Management Access Policy and User
  • Carbon Black Cloud Data Forwarder(s)
  • Log Source in QRadar

Note: For each data type (Alerts and Events), you will need a separate Data Forwarder in Carbon Black Cloud.

Note: You can configure more than one forwarder of either type if you have complex filtering needs.
1. Create an S3 bucket in the AWS Console.

2. Configure the Bucket Policy to Allow Access

3. Create Management Access Policy:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "sqs:GetQueueUrl",
                "sqs:DeleteMessage",
                "sqs:SendMessageBatch",
                "sqs:ReceiveMessage",
                "sqs:SendMessage"
            ],
            "Resource": [
                "arn:aws:sqs:<aws-region>:535601802221:<name-of-queue>",
                "arn:aws:s3:::<name-of-s3-bucket>/*"
            ]
        }
    ]
}

4. Create a user that uses that policy, check Programmatic Access that would generate Access Key ID and Secret Access Key.

5. Save the generated Access Key ID and Secret Access Key.
1. Create an SQS queue in your AWS Management Console and set the Access policy:
{
    "Version": "2008-10-17",
    "Id": "__default_policy_ID",
    "Statement": [
        {
            "Sid": "__sender_statement",
            "Effect": "Allow",
            "Principal": {
                "Service": "s3.amazonaws.com"
            },
            "Action": "SQS:SendMessage",
            "Resource": "arn:aws:sqs:<aws-region>:535601802221:<name-of-queue>",
            "Condition": {
                "ForAllValues:ArnEquals": {
                    "aws:SourceArn": "arn:aws:s3:::<name-of-s3-bucket>"
                }
            }
        }
    ]
}

2. Configure the Event Notification in the S3 bucket to use this queue - navigate to Properties > Event Notifications and set for Destination SQS queue the arn of the new queue.

Note: If you need to reload older events and are using SQS to pull buckets, the events will not be available in the queue once they are retrieved. To view historical events or reload data, use the generic S3 option or copy the events to another prefix to copy it to the queue.
Configure your data forwarder with filters to limit the amount of event data forwarded to QRadar. The forwarder can be created via Carbon Black Cloud Console under Settings > Data Forwarders or follow the Carbon Black Cloud Data Forwarder API guide.

For more detailed instructions on setting up a Data Forwarder using the APIs, see the following:
Step-by-step guide
Data Forwarder video tutorial

Note: The same forwarder cannot be used for both Alerts and Events. Create a separate forwarder for each type of data you want to forward.
Note: If you use the Data Forwarder to ingest alert data, do not enable any of the built-in alert types under Settings > Data, otherwise you will get duplicate alerts in QRadar. Note: For Alert Forwarder, make sure you select v2 schema!
1. Open your QRadar console and navigate to Admin > QRadar Log Source Management.

2. In the popup window, click "Log Sources".

3. Click the "+New Log Source" button.

4. Select "Single Log Source".

5. In the search field, enter "Carbon Black Cloud" and select it, then click "Step2: Select Protocol Type".

6. In the search field, enter "Amazon AWS S3 REST API" and select it, then click "Step3: Configure Log Source Parameters".

7. Click "Enable", configure the rest of the Log Source Parameters, then click "Step4: Configure Protocol Parameters":

Name - Choose a name for the log source. Note: Pick a different name from the built-in log source 'CarbonBlackCloudCustom' as you will have difficulties filtering events based on log source name.

Note: The default value for Coalescing Events is enabled. If this option is enabled, this means that when a log source emits multiple events which are very similar to one another in a short time span, they'll be aggregated together. The event count of the single event will reflect the number of events have been aggregated. This is good to be enabled to reduce storage cost of events. Disable if you want separate event in QRadar for each alert.

8. Configure the Protocol Parameters:
Log Source identifier - Choose a name for your Log Source
Authentication Method - Access Key ID / Secret Key
Access Key ID and Secret Key - The Access Key and ID required to access the AWS S3 Bucket
S3 Collection Method - SQS Event Notification
SQS Queue URL - URL to the queue - can be copied from AWS Management Console
Region Name - Same as the S3 bucket
Event Format - LINEBYLINE - Data Forwarder generates jsonl file

9. Click "Start Test" to verify the configuration, or "Skip Test and Finish".

10. Click "Deploy Changes" in the notification pop-up under the Admin tab for the changes to take effect.

1.
2.
3.
4.
5.
6.
7.
8.
9.
10.

Installation and Configuration

Install the Carbon Black Cloud app for IBM QRadar via the IBM X-Force Security App Exchange.

You will need a user with admin privileges in order to configure the app.

1. Open your Carbon Black Cloud console and copy its URL(including the "https://"), and ORG KEY.

2. Open the QRadar console, go to Carbon Black Cloud > Settings > Configuration and paste the URL and ORG KEY in their respective fields.

3. If you have not filled in the API Credentials in the Configuration page, do so as explained in the Built-in Input > Keys and Permissions section and click Save.

4. OPTIONAL - If you use a proxy, add your Proxy URL(the format is as follows: [http/https]://[ip/hostname]:[port]), Username, and Password under the "Proxy Settings" section, enable the proxy toggle and click Save.

5. OPTIONAL - Enter a custom name for the "Log Source Identifier".

Important: Before entering a custom name, you need to create a Custom Log Source, then enter the "Log Source Identifier" from it under Settings > Configuration > Log Source Identifier. To learn how to create a Syslog Log Source, click here.

6. OPTIONAL - If you have more complicated setup of QRadar with the App running on a dedicated Apphost, please enter the QRadar Console IP or hostname (or an external Event Collector IP or hostname) for the "Custom Event Collector IP". If not, please leave it empty.

Note: If you are ingesting Alerts, we recommend that you increase the TCP Syslog max payload size of your QRadar app. More information and instructions are available here.

1.
2.
3.
4.
5.



7. Upon clicking Save button, the configuration is validated to show you the current status of your configuration. If the configuration is invalid a pop-up is shown with details about the validation error and with the option to still save the invalid config. A green message is shown in the right upper corner if the configuration is valid.

Note: Each time you land on Carbon Black Cloud > Settings > Configuration configuration validation is triggered to show you the current status of your configuration.

7. Saving invalid configuration
Validation when landing on Settings > Configuration



Note: Admin users can reset the configuration (the configuration is reset to the default config used for fresh install) and test the config at any moment using the buttons Reset Configuration and Test Configuration.

If you encounter any errors or need additional information, check out the Troubleshooting page.
If you pull in Audit Log or Alert data, you will need to enable Polling. You will need a user with admin privileges in order to configure the polling.

1. In the Carbon Black Cloud app, navigate to Settings > Data.

2. Under Polling, toggle the 'Polling Status' switch to 'Enabled'. Once enabled, Contact' displays the last time the app polled VMware Carbon Black Cloud for data.

3. By default, the app is set to poll Carbon Black Cloud for data at an interval of 180 seconds (3 minutes). You can change the interval by entering another value between 60 and 600 seconds.

4. Click Save when you finish editing your Polling and other Data settings.

1.

If you pull in Alert data via the API, you can control what types of alerts are brought in.
If you stream alerts in via Data Forwarder, do not enable any of the alert types, otherwise you will receive duplicates. You will need a user with admin privileges in order to configure the Alert data.

Note: If you are ingesting alerts via the Built-in API Input(Syslog), we strongly recommend increasing QRadar's Max TCP payload size. Due to its low default value, the app may not ingest some Alerts correctly. A step-by-step guide is available here.

1. In the Carbon Black Cloud app, navigate to Settings > Data.

2. Under 'Alerts', you can configure the following:
Minimum Alert Severity - control the severity of the alerts being pulled in. For example, choosing '4' will pull alerts with a severity of 4 or higher.
CB Analytics Alerts - change the switch to 'Enabled' to bring in CB_ANALYTICS alerts. Requires Endpoint Standard.
Container Runtime Alerts - change the switch to 'Enabled' to bring in CONTAINER_RUNTIME alerts. Requires Container Security.
Device Control Alerts - change the switch to 'Enabled' to bring in DEVICE_CONTROL alerts. Requires Endpoint Standard.
Host Based Firewall Alerts - change the switch to 'Enabled' to bring in HOST_BASED_FIREWALL alerts. Requires Endpoint Standard Host-Based Firewall add-on.
Intrusion Detection Systems Alerts - change the switch to 'Enabled' to bring in INTRUSION_DETECTION_SYSTEM alerts. Requires XDR extension to Enterprise EDR.
Watchlist Alerts - change the switch to 'Enabled' to bring in WATCHLIST alerts. Requires Enterprise EDR.

3. In the 'Audit Logs' section, you can enable or disable ingesting Audit Logs.

4. Click Save when you finish editing your Data settings.

1.

To use the watchlist actions in the Log Activity page, you must configure the watchlist action settings. You will need a user with admin privileges in order to configure the Actions data.

1. In the Carbon Black Cloud app, navigate to Settings > Actions.

2. In the 'Watchlist Name' input, enter the name of the watchlist in the VMware Carbon Black Cloud console where you want to send IOCs.

3. In the 'Report Prefix', enter a prefix to the watchlist report. This is the report where you will find IOCs added from the app in the Carbon Black Cloud console.

4. In the 'Report Severity' dropdown, select the severity that you want to apply to the report created in the watchlist.
Note: Watchlist actions require Enterprise EDR

1.


Using the App

Log Activity Tab

Use the Log Activity tab to view data pulled from the Carbon Black Cloud. The table below lists the different types of data you can access from this page.

Data Type Use Case More Information
Alerts Alerts indicate suspicious behavior and known threats in your environment and provide details on the events that led to an alert. Details include metadata about the alert and a list of all the events associated with the alert. Learn more about the feature or go to the API documentation
Audit Logs Use the Audit Logs to review actions performed by Carbon Black Cloud users, such as log-in attempts, updates to connectors, creation of connectors, liveResponse events, and more. Learn more about the feature or go to the API documentation
Events Provides overview of endpoint events from the Carbon Black Cloud appliance. Get the full list of field descriptions

View Device Information

The Devices sub-tab in the Carbon Black Cloud app provides an overview of the active devices reporting event data to the Carbon Black Cloud. View information like OS version, active policy, sensor version and more. You can also use this page to update the policy applied to a device.

To use this feature, you must configure the following fields on the Settings > Configuration page: Product URL, Org Key, Custom Type Credentials.

You do not need a user with admin privileges in order to access the Devices tab.

Devices Overview

The 'Query Devices' search field can be used to narrow the list of devices. It supports key-value and value-only-based search. The value-based search will look for the desired keyword in all parameters.

Supported keys are: status, os, last_external_ip_address, last_internal_ip_address, name. Multiple space-separated values can be queried within a single search.
Example: 'last_external_ip_address:10.10.10.10' or '10.10.10.10'.

Device Details

To access details about each sensor's configuration, click the 'Device' name on each row.

Change Device Security Policy

To change the security policy applied to the device, click the Policy dropdown and select the desired policy from the list. A dialogue box will open to confirm the change. Click Ok to verify the change. It may take a few minutes for the change to be applied throughout both systems.

Devices Overview
Device Details
Change Device Security Policy


Learn more about the Devices API here.


Mapping Carbon Black Cloud Data

The “Carbon Black Cloud” Log Source Type normalizes Carbon Black Cloud data into a format that QRadar can index. The table below provides the full CBC to QRadar field mapping.

QRadar Field CBC Field
Action action
Additional Events Present additional_events_present
Alert Blocked Threat Category blocked_threat_category
Alert C2 Involved threat_activity_c2
Alert Category category
Alert DLP Involved threat_activity_dlp
Alert First Event Time first_event_time
Alert ID id, alert_id
Alert Last Event Time last_event_time
Alert Last Update Time last_update_time
Alert Not Blocked Threat Category not_blocked_threat_category
Alert Notes Present notes_present
Alert Phishing Involved threat_activity_phish
Alert Policy Applied policy_applied
Alert Reason Code reason_code
Alert Status status
Alert Tags tags
Alert Threat Cause Actor Name threat_cause_actor_name
Alert Threat Cause Category threat_cause_threat_category
Alert Threat Caused By Event ID threat_cause_cause_event_id
Alert Threat Cause Reputation threat_cause_reputation
Alert Threat Cause Vector threat_cause_vector
Alert Threat Notes Present threat_notes_present
Alert URL alert_url
API Call crossproc_api
Attack Tactic attack_tactic
Attack Technique attack_technique
Audit Log Event Timestamp eventTime
Audit Log Flagged flagged
Backend Timestamp backend_timestamp
Backend Update Timestamp backend_update_timestamp
Blocked Effective Reputation blocked_effective_reputation
Blocked MD5 blocked_md5
Blocked Name blocked_name
Blocked SHA256 blocked_sha256
CBC Event Count scriptload_count, modload_count
Child Process Command Line childproc_cmdline
Cluster Name cluster_name,k8s_cluster
Cluster Policy ID k8s_policy_id
Command Line process_cmdline
Connection Type connection_type
Cross-process Event Target crossproc_target
Date Time backend_timestamp, create_time, syslog_create_time
Destination FQDN netconn_domain
Destination IP remote_ip,netconn_remote_ip
Destination MAC [no field specified]
Destination Port remote_port,netconn_remote_port
Determination Changed By determination_changed_by
Determination Changed By Type determination_changed_by_type
Determination Change Timestamp determination_change_timestamp
Determination Value determination_value
Device Group device_group
Device ID device_id
Device Name device_name
Device Priority target_value
Device Timestamp device_timestamp
Device UEM ID device_uem_id
Duration Seconds process_duration
Egress Group ID egress_group_id
Egress Group Name egress_group_name
Event Category severity, type, cat
Egress Group ID egress_group_id
Egress Group Name egress_group_name
Event ID type, cat
Event ID (custom) created_by_event_id, eventId, event_id
Event Origin event_origin
Event Summary event_description, description, reason
File Hash filemod_hash[1], modload_hash[1], scriptload_hash[1], fileless_scriptload_hash[1], modload_sha256
Fileless Script Load Command Line fileless_scriptload_cmdline
File Path filemod_name, regmod_name, modload_name, scriptload_name
First Event Timestamp first_event_timestamp
Identity Extended Field [no field specified]
Identity Group Name device_group
Identity Host Name device_name
Identity IP device_internal_ip
Identity IPv6 [no field specified]
Identity MAC [no field specified]
Identity Net BIOS Name [no field specified]
IOC Field ioc_field
IOC ID ioc_id
IOC Value ioc_hit
IP Reputation ip_reputation
IPv6 Destination netconn_remote_ipv6
IPv6 Source netconn_local_ipv6
Is Updated is_updated
Legacy Alert ID legacy_alert_id
Location device_location
Log Source Time create_time - yyyy-MM-dd'T'HH:mm:ss'Z', eventTime - yyyy-MM-dd'T'HH:mm:ss'Z', syslog_create_time - yyyy-MM-dd'T'HH:mm:ss.SSS'Z', device_timestamp - yyyy-MM-dd HH:mm:ss.SSS +0000 'UTC'
MDR Determination Change Timestamp mdr_determination_change_timestamp
MDR Determination Value mdr_determination_value
MDR Workflow Change Timestamp mdr_workflow_change_timestamp
MDR Workflow Is Assigned mdr_workflow_is_assigned
MDR Workflow Status mdr_workflow_status
Minimum Severity minimum_severity
ML Classification Final Verdict ml_classification_final_verdict
ML Classification Global Prevalence ml_classification_global_prevalence
ML Classification Org Prevalence ml_classification_org_prevalence
Namespace namespace
Network Connection Inbound netconn_inbound
Network Protocol netconn_protocol, protocol
Organisation Name orgName
Org Key org_key
Organisation Name orgName
OS Name device_os
OS Version device_os_version
Parent Command parent_cmdline
Parent Effective Reputation parent_effective_reputation
Parent GUID parent_guid, threat_cause_parent_guid
Parent Hash parent_hash[1]
Parent Path parent_path
Parent Process ID parent_pid
Parent Process Reputation parent_reputation
Parent Publisher Content parent_publisher[]
Parent Username parent_username
Pod Name k8s_pod_name
Policy ID policy_id
Policy Name policy_name
Post NAT Destination IP [no field specified]
Post NAT Destination Port [no field specified]
Post NAT Source IP device_external_ip
Post NAT Source Port [no field specified]
Pre NAT Destination IP [no field specified]
Pre NAT Destination Port [no field specified]
Pre NAT Source IP device_internal_ip
Pre NAT Source Port [no field specified]
Primary Event ID primary_event_id
Process Effective Reputation process_effective_reputation
Process Fork PID process_fork_pid
Process GUID process_guid, threat_cause_process_guid
Process Hash threat_cause_actor_sha256, process_hash[1]
Process ID threat_cause_actor_process_pid, process_pid
Process Issuer process_issuer
Process Name process_name
Process Path process_path
Process Publisher Content process_publisher[]
Process Reputation process_reputation
Process Terminated process_terminated
Protocol netconn_protocol
Proxy Hostname netconn_proxy_domain
Proxy IP netconn_proxy_ip
Proxy Port netconn_proxy_port
Remote Domain remote_domain
Remote Is Private remote_is_private
Remote Namespace remote_namespace, remote_k8s_namespace
Remote Pod Name remote_k8s_pod_name
Remote Replicate ID remote_replica_id
Remote Workload ID remote_workload_id
Remote Workload Kind remote_workload_kind
Remote Workload Name remote_workload_name
Replica ID replica_id
Report ID report_id
Report Link report_link
Report Name report_name
Report Tags report_tags[]
Rule Category ID rule_category_id
Rule Config Category rule_config_category
Rule ID rule_id
Rule Name rule_name
Run State run_state
Sensor Action sensor_action
Source IP local_ip, clientIp
Source MAC [no field specified]
Source Port local_port
Target Command Line target_cmdline
Target GUID childproc_guid, crossproc_guid
Target Hash childproc_hash[1], crossproc_hash[1], fileless_scriptload_hash[1], scriptload_hash[1]
Target Name crossproc_name, childproc_name
Target Process ID childproc_pid
Target Reputation crossproc_reputation, childproc_reputation, modload_effective_reputation
Target Username childproc_username, crossproc_username
Threat ID threat_id
Threat Indicators threat_indicators
Threat Name threat_name
Threat Severity threat_severity
TMS Rule ID tms_rule_id
TTPs ttps
USB Device Friendly Name external_device_friendly_name
USB Product ID product_id
USB Product Name product_name
USB Serial Number serial_number
Username process_username, device_username, loginName
User Update Timestamp user_update_timestamp
Vendor ID vendor_id
Vendor Name vendor_name
Workflow Changed By workflow_changed_by
Workflow Changed By Type workflow_changed_by_type
Workflow Change Timestamp workflow_change_timestamp
Workflow Closure Reason workflow_closure_reason
Workflow Status workflow_status
Watchlists Content watchlists[]
Workload ID workload_id
Workload Kind workload_kind
Workload Name workload_name

Right-Click Actions

Access the following actions by right-clicking certain columns in the “Log Activity” page. Each action may require additional configuration in the Carbon Black Cloud app under Settings > Configuration or Settings > Actions. Details and requirements are listed below for each of the actions.

Note: Some right-click actions are available from “Custom” columns which are not displayed by default. Read below on how to add a custom column.

Data type Description Available on columns Requirements
Add or remove IOC from watchlist
Add or remove specified IOC(s) to/from a specified report in a watchlist (may take a few minutes to apply across both systems). All IP/Port columns
File Hash (custom),
Parent Hash (custom),
Process Hash (custom),
Target Hash (custom),
Custom-type credentials,
Org key,
Product URL,
Report prefix,
Watchlist name
Ban process hash Prevents a sha256 hash from being executed in Carbon Black Cloud. File Hash (custom),
Process Hash (custom),
Parent Hash (custom),
Target Hash (custom)
Custom-type credentials,
Org key,
Product URL
Carbon Black Cloud Investigate - Observations Redirects you to the Carbon Black Cloud console “Investigate” page and filters observations by the selected event id. Event ID (custom) Product URL,
Carbon Black Cloud access
Carbon Black Cloud Search - Devices Redirects you to the Carbon Black Cloud console "Inventory > Endpoints" or "Inventory > VM Workload" page and filters devices by the specified criteria. All IP columns,
Device ID (custom)
Product URL,
Carbon Black Cloud access
Dismiss alert Dismisses the specified alert in Carbon Black Cloud. Alert ID (custom) Custom Type Credentials,
Org Key,
Product URL
Enable or disable bypass Enable or disable all policy enforcement on the device and enable/disable sending data from the sensor to the Carbon Black Cloud. Device ID (custom) Custom Type Credentials,
Org Key,
Product URL
Get Process Details (new for v.2.2.0) Creates a pop-up that displays the information for the process. Process GUID (custom) Custom Type Credentials,
Org Key,
Product URL
Quarantine or unquarantine a device Quarantines or unquarantines the specified device. When quarantined, it prevents suspicious activity and malware from affecting the rest of your network. The device can only communicate with Carbon Black Cloud until unquarantined. Device ID (custom) Custom Type Credentials,
Org Key,
Product URL
Search observations by this IP on Carbon Black Cloud Redirects you to the Carbon Black Cloud console "Investigate" page and filters observations by the selected IP address. All IP columns Product URL,
Carbon Black Cloud access
View Alert (new for v.2.2.0) Redirects you to the Carbon Black Cloud console "Investigate" tab with a search query that matches the provided event ID. Alert ID (custom) Custom Type Credentials,
Org Key,
Product URL
View device Redirects you to the app's Devices tab and filters devices by the specified criteria. Device ID (custom),
All IP columns
Custom Type Credentials,
Org Key,
Product URL

Add a Custom Column

The steps below explain how to add a custom column for accessing right-click actions in the “Log Activity” page.

1. Open your QRadar console, navigate to the "Log Activity" page, click "Search", then "Edit Search".

2. Scroll down to the "Column Definition" section and type or find the desired column. Select it, then click the arrow button to add it, and finally click "Search".

3. The new column will now be available in the Log Activity page.

1.
2.
3.


Viewing App Logs

The app lives in a docker container with its own logs separate from QRadar. For specific app issues (can’t connect, specific app broken etc), log into the shell for each app container to inspect the logs. | For details about logging, go to IBM’s Troubleshooting Guide.


Additional Guides

Create Syslog Log Source

1. Open your QRadar console and navigate to Admin > QRadar Log Source Management.

2. In the popup window, click "Log Sources".

3. Click "+New Log Source" button.

4. Select "Single Log Source".

5. In the search field, enter "Carbon Black Cloud" and select it, then click "Step2: Select Protocol Type".

6. In the search field, enter "Syslog" and select it, then click "Step3: Configure Log Source Parameters".

7. Enter a unique "Name" and optionally you can change any of the predefined parameters per your needs.

Note: The default value for Coalescing Events is enabled. If this option is enabled, this means that when a log source emits multiple events which are very similar to one another in a short time span, they'll be aggregated together. The event count of the single event will reflect the number of events have been aggregated. This is good to be enabled to reduce storage cost of events. Disable if you want separate event in QRadar for each alert.

8. Click "Step4: Configure Protocol Parameters":

9. Enter a unique "Log Source Identifier" and click "Finish".

10. Click "Deploy Changes" in the notification pop-up under the Admin tab for the changes to take effect.

11. Enter the "Log Source Identifier" name from step 9. in Settings > Configuration.

1.
2.
3.
4.
5.
6.
7.
8.
9.
10.


Increase TCP Syslog max payload size

QRadar's TCP Syslog max payload size default value is 4096. It is recommended to increase it to at least double, or in the best case to 32000. Some alerts exceed 4k, which prevents them from logging correctly in QRadar.



1. Open your QRadar console and navigate to Admin > System Settings.

2. Click "Switch to: Advanced" button.

3. Find "Max TCP Syslog Payload Length", increase its value to the recommended 32000, then click "Save".

1.
2.
3.


Multi-Tenancy

Multitenant environments allow Managed Security Service Providers (MSSPs) and multi-divisional organizations to provide security services to multiple client organizations from a single, shared IBM® QRadar® deployment. You don't have to deploy a unique QRadar instance for each customer. In a multitenant deployment, you ensure that customers see only their data by creating domains based on their QRadar input sources. Then, use security profiles and user roles to manage privileges for large groups of users within the environment. Security profiles and user roles ensure that users have access to only the information they are authorized to see.

To learn how to set up your multitenant environment, follow IBM's Multitenant management.



Last modified on July 17, 2024