Carbon Black Cloud data does not display in the Log Activity tab when using the built-in type of importing records, even though contact has been made.

  • Check that the API key is of the correct Access Level type. See Set up Built-in API Input for IBM QRadar.
  • Check that the Custom Access Level Type has the necessary permissions. See Set up Built-in API Input for IBM QRadar.
  • Check that Polling under the Settings > Data tab is enabled.
  • Make sure that the respective alerts types under the Settings > Data tab are enabled:
    • CB Analytics
    • Container Runtime
    • Device Control
    • Host Based Firewall
    • Intrusion Detection System
    • Watchlist

    Data input must be enabled

  • If you use the Built-in input, make sure that Minimum Successful Events for Autodetection in the Log Source Type configuration is set low enough. See Configure the Log Source for IBM QRadar.

    Set Minimum Successful Events for Autodetection to a low number

  • After the app makes contact with the Carbon Black Cloud, it will start polling data. It might take a few minutes until QRadar starts recognizing the incoming records as Carbon Black Cloud data. All data polled in the interim will be displayed in the Log Activity page as an Unknown log event collected by SIM Generic Log DSM-7.