This topic describes common use cases for integrating Carbon Black Cloud with IBM QRadar.

Alert Single Pane of Glass

  • Bring all your CB Analytics, Container Runtime, Device Control, Host-Based Firewall, Intrusion Detection System, and Watchlist alerts into QRadar.
  • Investigate alerts, rule out false positives, create QRadar Offenses, and pivot back to Carbon Black Cloud when more details are needed.
  • Respond from QRadar with right-click actions such as ban hash, quarantine device, and dismiss alert.

Required data: alerts

Alert Triage

  • Perform the majority of your NGAV and EDR alert investigation directly from QRadar by pivoting from an alert to the related event data.
  • Summarize key information related to an alert, such as the process cmdline and process behavior.

Required data: alerts, endpoint events

Alert Trends

  • Visualize trends such as alert volume over time, top alerted endpoints, and commonly alerted processes.

Required data: alerts

Endpoint Visibility

  • Identify what’s running across your environment.
  • Summarize the most and least common processes.
  • Audit activity that’s been blocked or terminated by Carbon Black Cloud Endpoint Standard NGAV capabilities.
  • Discover endpoints which have stopped sending data to Carbon Black Cloud.

Required data: endpoint events

Endpoint Inventory

  • Track which endpoints are protected by Carbon Black Cloud.
  • Get detailed metadata about an endpoint, such as sensor version, OS version, last check-in time, bypass state, and quarantine state.

Required data: endpoint events

Carbon Black Cloud Auditing and Change Control

  • Audit which users are logging in to Carbon Black Cloud, where from, and whether the login was flagged.
  • Track changes to Carbon Black Cloud infrastructure, such as policy changes and sensor updates.
  • Monitor high-privilege operations such as Live Response and endpoint bypass.

Required data: audit logs

XDR and Custom Detections

  • Pivot from alerts from network tools, such as firewalls, proxies, and IPS/IDS, to the process on the endpoint.
  • If an email security tool detects a possibly malicious file, identify if any user has opened it and whether that was blocked by Carbon Black Cloud.
  • Baseline normal behavior; what processes normally run on an endpoint? What processes normally make network connections?

Required data: endpoint events