The Devices tab in the Carbon Black Cloud app for QRadar provides an overview of the active devices reporting event data to the Carbon Black Cloud. You can view information such as OS version, active policy, sensor version, and more. You can also update the policy that is applied to a device.

See also Devices API.

To use this feature, you must configure the following fields on the Settings > Configuration page in the QRadar console:

  • Product URL
  • Org Key
  • Custom Type Credentials
Note: You do not need admin privileges to access the Devices tab.

Devices Overview

You can use the Query Devices search field to narrow the displayed list of devices. The search field supports key-value and value-only-based search. The value-based search looks for the input keyword in all parameters. Multiple space-separated values can be queried within a single search. Example: last_external_ip_address:10.10.10.10' or '10.10.10.10.

Supported keys are:

  • status
  • os
  • last_external_ip_address
  • last_internal_ip_address
  • name

Device Details

To access details about each sensor's configuration, click the device name on each row.

View device details

Change Device Security Policy

To change the security policy that is applied to the device, click the Policy dropdown list and select the policy. Click OK to verify the change. It can take a few minutes for the change to be applied in both systems.