To set up Built-in API input for IBM QRadar, perform the following procedure.

Procedure

  1. Open the Carbon Black Cloud console.
  2. Use the following RBAC permissions to add an access level as described in Create Access Levels.
    Alerts (org.alerts) - READ Alerts (org.alerts.close) - EXECUTE
    Applications (org.reputations) - CREATE, READ Audit Logs (org.audits) - READ
    Background Tasks (jobs.status) - READ Custom Detections (org.watchlists) - CREATE, READ, UPDATE, DELETE
    Device (device) - READ Device (device.bg-scan) - EXECUTE
    Device (device.bypass) - EXECUTE Device (device.policy) - UPDATE
    Device (device.quarantine) - EXECUTE Events (org.search.events) - CREATE, READ
    Policies (org.policies) - READ Unified Binary Store (ubs.org.sha256) - READ
  3. Click the API Keys tab and click Add API Key.
    1. Enter a Name and an optional description.
    2. In the Access Level Type dropdown list, select Custom.
    3. In the Custom Access Level dropdown list, select the access level you created in Step 2.
    4. Click Save.

      Custom API key

      A pop-up window displays the new API credentials.

      API credentials for new API key

    5. Copy the API ID and API Secret Key and paste them into a plain text editor.
  4. Open the QRadar console.
  5. Go to Carbon Black Cloud > Settings > Configuration.
  6. In the API Credentials section, add the API ID and API Secret Key to their respective fields.

    QRadar console API credentials

  7. Click Save.