Carbon Black
The IBM QRadar DSM for Carbon Black collects endpoint protection events from a Carbon Black server.
The following table describes the specifications for the Carbon Black DSM:
Specification | Value |
---|---|
Manufacturer | Carbon Black |
DSM name | Carbon Black |
RPM file name | DSM-CarbonBlackCarbonBlack-QRadar_version-build_number.noarch.rpm |
Supported versions | 5.1 and later |
Protocol | Syslog |
Recorded event types | Watchlist hits |
Automatically discovered? | Yes |
Includes identity? | No |
Includes custom properties? | No |
More information | Carbon Black website (https://www.carbonblack.com/products/cb-response/) |
To integrate Carbon Black with QRadar, complete the following steps:
- If automatic updates are not enabled, download and install the most recent version of the
following RPMs from the IBM® Support Website onto your QRadar
Console:
- Carbon Black DSM RPM
- DSMCommon RPM
- Configure your Carbon Black device to send syslog events to QRadar.
- If QRadar does not
automatically detect the log source, add a Carbon Black log source on the QRadar
Console. The following table describes
the parameters that require specific values for Carbon Black event collection:
Table 2. Carbon Black log source parameters Parameter Value Log Source type Carbon Black Protocol Configuration Syslog