The Carbon Black Cloud App for IBM QRadar allows administrators to leverage the industry’s leading cloud-based, next-generation, anti-virus solution to prevent malware and non-malware attacks.
This integration gives administrators access to the alerts, audit logs, and events exposed through the Data Forwarder and the Alerts and Audit Logs APIs for Carbon Black Cloud, in addition to device, process, and event information through the optional use of other Carbon Black Cloud APIs.
The Carbon Black Cloud app for IBM QRadar contains two components:
- Carbon Black Cloud Log Source Type—normalizes Carbon Black Cloud data into a format that QRadar can index.
- Carbon Black Cloud App for IBM QRadar—lets you configure a connection to the Carbon Black Cloud and monitor Carbon Black Cloud devices from the QRadar platform.
Before you get Started
To determine which log source inputs to use, consider what data you want to pull into QRadar. You can pull in Carbon Black Cloud alerts, audit logs, endpoint events, or device data.
To determine which permissions you will need, consider which of the following response actions you want to take on that data:
- Add or remove an IOC from a watchlist
- Ban a process hash
- Dismiss an alert
- Enable or disable bypass
- Get process details
- Pivot into the Carbon Black Cloud to investigate Observations
- Pivot into the Carbon Black Cloud to search for Devices
- Quarantine or unquarantine a device
- Search observations by IP address on Carbon Black Cloud
- View Alert
- View device details