If you ingest Alert data through the API, you can control what types of alerts are pulled in.
Note:
- If you stream alerts in by using Data Forwarder, do not enable any of the alert types or you will receive duplicates.
- If you are ingesting alerts by using the Built-in API Input (Syslog), we strongly recommend increasing QRadar's Max TCP payload size. Due to its low default value, the app might not otherwise ingest some alerts correctly. See Increase TCP Syslog Max Payload Size for IBM QRadar.
Procedure
- Open the Carbon Black Cloud app in the QRadar console.
- Go to Settings > Data.
- In the Alerts section, configure the following settings:
Minimum Alert Severity - Control the severity of the alerts being pulled in. For example, specifying 4 will pull alerts with a severity of 4 or higher.CB Analytics Alerts - Toggle this setting to Enabled to ingest CB_ANALYTICS alerts. This capability requires Carbon Black Cloud Endpoint Standard.Container Runtime Alerts - Toggle this setting to Enabled to ingest CONTAINER_RUNTIME alerts. This capability requires Carbon Black Container.Device Control Alerts - Toggle this setting to Enabled to ingest DEVICE_CONTROL alerts. This capability requires Carbon Black Cloud Endpoint Standard.Host-Based Firewall Alerts - Toggle this setting to Enabled to ingest HOST_BASED_FIREWALL alerts. This capability requires the Carbon Black Cloud Endpoint Standard Host-Based Firewall add-on.Intrusion Detection System Alerts - Toggle this setting to Enabled to ingest INTRUSION_DETECTION_SYSTEM alerts. This capabililty requires the Carbon Black Cloud Enterprise EDR XDR extension.Watchlist Alerts - Toggle this setting to Enabled to ingest WATCHLIST alerts. This capability requires Carbon Black Cloud Enterprise EDR.
- In the Audit Logs section, enable or disable ingesting Audit Logs.
- Click Save.
