Version 2.3.0

Before you upgrade to 2.3.0

• QRadar versions 7.5.0 UP3+ are supported. The app will not install on older QRadar versions.
• App was migrated to use Alerts v7 instead of Alerts v6. Some fields in the earlier versions have been renamed or removed from the new versions.
• An additional permission is needed to close alerts (Background Tasks - jobs.status - READ).
• API Key with an Access Level type Custom is used to poll Audit Logs (Audit Logs (org.audits) - READ). Note that after the update is done, three days of audit log history will be ingested; thus, audit log duplicates can be expected.
• If you are using the Data Forwarder to ingest events, you must:
  1. Create a Data Forwarder Alert v2 Schema with a different AWS S3 Bucket prefix and enable it. Doing this first is necessary to not miss alerts.
  2. Disable the Alerts Forwarder using v1 Schema.
  3. Wait for the ingest of Alerts with v1 Schema to complete.
  4. Disable the old Log Source.
  5. Update the Carbon Black Cloud app for QRadar.
  6. Create a new Log Source that uses the new Data Forwarder and then enable it.
  7. Verify that alerts are ingested correctly.

After you upgrade to 2.3.0

If you are using the Data Forwarder Alerts Input, reconfigure the AWS SQS queue to consume the Alert v2 schema data.

New Features

• Transitioned exclusively to API Keys with an Access Level Type Custom for authentication, thereby simplifying API Key configuration. To continue to poll Audit Logs, you must add additional permission in your Custom Key (Audit Logs (org.audits) - READ).
• App updated to support Alerts v7 API and Data Forwarder Alert Schema v2.
• Improved alert polling algorithm now processes alerts in batches of 10,000, reducing memory usage and enhancing performance.
• Right-click actions for searching observations by IP address and viewing alerts now redirect users to the Investigate page that is using the Observations API, facilitating the migration process from the Enriched Events Search API.

Resolved Issues

• Resolved issue causing unintended retransmission of old messages, enhancing system logging reliability by preventing message duplication.
• Enhanced logging functionality to provide clearer error messages for failed syslog message transmissions.
• Improved file reading mechanism to ensure accurate processing of syslog messages.
• Added pagination support for improved device retrieval efficiency.
• Fixed issue: Devices Tab now shows all devices when search field is empty.
• Upgraded packages to fix vulnerabilities.

Version 2.2.1

Before you upgrade to 2.2.1

QRadar versions 7.4.3 FP8+ and 7.5.0 UP3+ are supported. The app would not install on older QRadar versions.

Resolved Issues

• Fixed an issue where alerts and audit logs were sent with delay in setups with low volume of security events.
• Fixed application crash due to out-of-memory problem under high load which prevents the app from forwarding alerts.
• Fixed application crash when the console or apphost were down for a long time in setups with high volumes of security events.
• Updated app dependencies due to security vulnerabilities in the versions used.

Known Issues

Support for Squid proxy server is broken for https proxying. Users are advised to switch to http proxying or a different proxy server.

Version 2.2.0

Before you upgrade to 2.2.0

Before you upgrade from 2.1.1 to 2.2.0, go to the Carbon Black Cloud console and add two more permissions in your Custom Key:

• Policies (org.policies) - READ
• Events (org.search.events) - READ

New Features

• Refresh of the user interface for configuration of the app:
  • New design and validations.
  • When selecting Settings > Configuration, requests are triggered to check the validity. If there is something wrong with the credentials, the Device API, or the Alerts API, validation errors display.
• Update of admin privileges:
  • Carbon Black Cloud > Settings > Configuration is hidden behind admin privileges.
  • Everything else, including the Devices tab, is accessible without admin privileges.
• There are two new right-click actions: Get Process Details and View Alert. This requires changes to the permissions on the custom API key, as described in Before you upgrade to 2.2.0.
• Use the Policy Service API to pull policies. This requires changes to the permissions on the custom API key, as described in Before you upgrade to 2.2.0.
• Added Reset Configuration and Test Configuration functionalities.
• Added Custom Event Collector IP input field under Settings > App Configuration to provide a way to configure Custom Event Collector.
• Support for parsing additional fields for Watchlist Hits.
• Upgrade of the Python SDK version.

Resolved Issues

• Fixes of the poll procedure.
• Remove redundant logging of proxy error when proxy is not enabled.
• Resending alerts when we have IO error.
• Added validation of query parameters for right-click actions.
• Upgrade a few packages due to vulnerabilities.

Documentation Updates

Because of the major rewrite of the UI and some functionalities, we created a copy of the documentation to preserve previous user guides for anyone who is still using previous versions. However, we highly recommend upgrading to the latest version.

Version 2.1.1

• New way of validating the API key.
• Upgrade of a few packages, which previous versions have reported vulnerabilities.

Version 2.1.0

Before you upgrade to 2.1.0

Go to Admin > Custom Event Properties, search for Process GUID, and manually delete all of the mappings.

New Features

• Multi-tenancy
• Ability to add custom Log Source Identifier
• Ability to toggle Audit Logs ON or OFF

User Interface Changes

• Added Log Source Identifier input field under Settings > App Configuration.
• Added Audit Logs toggle under Settings > Data.

Resolved Issues

• The help tooltips on the Settings pages were displayed only on mouse-hover over the ? icon.
• A small number of alerts were not ingested into QRadar due to an app issue.
• Product URL under Settings > App Configuration was not handling trailing slash.
• Watchlist Alerts cannot be enabled if Carbon Black Cloud Enterprise EDR is not active. Carbon Black Cloud Enterprise EDR is required for receiving Watchlist Alerts.

Version 2.0.0

New Features

• Data Input - CB_ANALYTICS (Alerts)
• Data Input - DEVICE_CONTROL (Alerts)
• Data Input - WATCHLIST (Alerts)
• Data Input - Data Forwarder (Alerts and Endpoint.Events)
• Right-click ation - Hash Ban

User Interface Changes

• Admin menu renamed to Settings.
• System Overview menu renamed to Devices.
• Carbon Black Cloud App Configuration menu renamed to App Configuration.
• Admin > Proxy Settings menu moved to Settings > App Configuration.
• Admin > Misc Settings > Polling moved to Settings > Data.

Known Issues

• The Settings tab is bolded as active after Right-click action redirection from Log Activity > View Device when the active tab must be Devices (fixed in v2.2.0).
• After the app upgrade from v1, the old log source will not pick up the new data (alerts, audit logs). Instead, a new log source must be created - either manually or via auto-detection.
• The help tooltips on the Settings pages display only on mouse-hover over the ? icon.
• Filled-in values cannot be changed back to empty for the app configuration properties (Product URL, Org Key, API ID, API Secret Key, Proxy URL, Proxy Username, Proxy Password). (Reset Configuration button is added in v.2.2.0.)
• Log Source Time is a datetime field that is mapped to different date formats depending on the type of alerts/events and the log source that is used. However, in some rare cases, the datetime cannot be parsed correctly. Then, the time at which the event arrived at QRadar is used. For example: device_timestamp = ‘2021-11-09 11:52:00 +0000 UTC’ cannot be parsed using the format yyyy-MM-dd HH:mm:ss.SSS +0000 'UTC' (missing milliseconds), while device_timestamp = ‘2021-11-09 11:52:00.1 +0000 UTC’ and device_timestamp = ‘2021-11-09 11:52:00.123 +0000 UTC’ are parsed correctly

Version 1.0.0

Initial release.