This method of data ingestion uses Carbon Black Cloud REST APIs to pull data into QRadar.

Supported data and features:

• Alerts
• Audit Logs
• View Device Information
• Right-click Actions

Requirements:

• For most customers (non-VMware Cloud Services Platform): Custom Type API Key and ID (for all data inputs and right-click actions)
• For customers using Carbon Black Cloud on VMware Cloud Services Platform: OAuth App granted a custom role with the necessary permissions (for all data inputs and right-click actions)

See also Authentication.

Pros

Available out of the box without having to configure an AWS S3 bucket

Cons

Container Memory Limit - A combination of high bursts of alerts for extended periods and low physical memory on the app container can cause memory overload. Memory is limited to 10% of the system’s physical memory. This can cause delays in alert and general data processing. If you experience such symptoms, consider using the Data Forwarder input.