Carbon Black
The IBM QRadar DSM for Carbon Black collects endpoint protection events from a Carbon Black server.
The following table describes the specifications for the Carbon Black DSM:
| Specification | Value |
|---|---|
| Manufacturer | Carbon Black |
| DSM name | Carbon Black |
| RPM file name | DSM-CarbonBlackCarbonBlack-QRadar_version-build_number.noarch.rpm |
| Supported versions | 5.1 and later |
| Protocol | Syslog |
| Recorded event types | Watchlist hits |
| Automatically discovered? | Yes |
| Includes identity? | No |
| Includes custom properties? | No |
| More information | Carbon Black website (https://www.carbonblack.com/products/cb-response/) |
To integrate Carbon Black with QRadar, complete the following steps:
- If automatic updates are not enabled, download and install the most recent version of the
following RPMs from the IBM® Support Website onto your QRadar
Console:
- Carbon Black DSM RPM
- DSMCommon RPM
- Configure your Carbon Black device to send syslog events to QRadar.
- If QRadar does not
automatically detect the log source, add a Carbon Black log source on the QRadar
Console. The following table describes
the parameters that require specific values for Carbon Black event collection:
Table 2. Carbon Black log source parameters Parameter Value Log Source type Carbon Black Protocol Configuration Syslog