You can access the following actions by right-clicking certain columns in the Log Activity page in the Carbon Black Cloud app for QRadar. Each action can require additional configuration in the Carbon Black Cloud app under Settings > Configuration or Settings > Actions.
Note:
Some right-click actions are available from custom columns that are not displayed by default. See Add a Custom Column for Right-Click Actions in IBM QRadar.
| Data Type | Description | Available on Columns | Requirements |
|---|---|---|---|
| Add or remove IOC from watchlist | Add or remove specified IOCs to or from a specified report in a watchlist (it may take a few minutes to apply across both systems). | All IP and Port columns, File Hash (custom), Parent Hash (custom), rocess Hash (custom), Target Hash (custom), | Custom-type credentials, Org key, Product URL, Report prefix, Watchlist name |
| Ban process hash | Prevents a SHA-256 hash from being executed in Carbon Black Cloud. | File Hash (custom), Process Hash (custom), Parent Hash (custom), Target Hash (custom) | Custom-type credentials, Org key, Product URL |
| Carbon Black Cloud Investigate - Observations | Redirects you to the Carbon Black Cloud console Investigate page and filters observations by the selected event id. | Event ID (custom) | Product URL, Carbon Black Cloud access |
| Carbon Black Cloud Search - Devices | Redirects you to the Carbon Black Cloud console Inventory > Endpoints or Inventory > VM Workload page and filters devices by the specified criteria. | All IP columns, Device ID (custom) | Product URL, Carbon Black Cloud access |
| Dismiss alert | Dismisses the specified alert in Carbon Black Cloud. | Alert ID (custom) | Custom Type Credentials, Org Key, Product URL |
| Enable or disable bypass | Enable or disable all policy enforcement on the device and enable/disable sending data from the sensor to the Carbon Black Cloud. | Device ID (custom) | Custom Type Credentials, Org Key, Product URL |
| Get Process Details | Opens a pop-up window that displays the information for the process. | Process GUID (custom) | Custom Type Credentials, Org Key, Product URL |
| Quarantine or unquarantine a device | Quarantines or unquarantines the specified device. When quarantined, it prevents suspicious activity and malware from affecting the rest of your network. The device can only communicate with Carbon Black Cloud until unquarantined. | Device ID (custom) | Custom Type Credentials, Org Key, Product URL |
| Search observations by this IP address on Carbon Black Cloud | Redirects you to the Carbon Black Cloud console Investigate page and filters observations by the selected IP address. | All IP columns | Product URL, Carbon Black Cloud access |
| View Alert | Redirects you to the Carbon Black Cloud console Investigate page with a search query that matches the provided event ID. | Alert ID (custom) | Custom Type Credentials, Org Key, Product URL |
| View device | Redirects you to the app's Devices tab and filters devices by the specified criteria. | Device ID (custom),All IP columns | Custom Type Credentials, Org Key, Product URL |
