![Search Basics
Value Search
Use complete values when searching (e.g., powershell) or a trailing wildcard (e.g., power*).
Search Fields
Form queries like this when including search elds: eld:term
e.g., parent_name:powershell.exe
Wildcards
Expand queries using wildcards.
? Matches a single character e.g.,“te?t” will return results for “test” and “text”
* Matches zero or more sequential characters. e.g., “tes*” will return results for “test,” “testing,” and
“tester”
Leading wildcards are assumed in le extension searches.
e.g., process_name:.exe
Wildcards can be used in a path if you don’t quote the value and escape the following special characters with
a backslash: + - && || ! ( ) { } ^ " ~ * ? : /
e.g., to search for (1+1):2, type: (1+1):2
Operators
Re ne queries using operators. Operators must be uppercase.
AND returns results when both terms are present
OR returns results when either term is present
NOT returns results when a term is not present
Escaping
Slashes, colons, and spaces must be manually escaped, except when using suggestions and lters.
Date/Time Ranges
Re ne queries using date/time ranges, when applicable.
e.g., device_timestamp: [2018-10-25T14:00:00Z TO 2018-10-26T15:00:00Z]
Count Searches
Re ne queries that include counts with ranges and wildcards.
[3 TO *] Returns count results starting with a value of 3.
[* TO 10] Returns counts results up to a value of 10.](https://image.slidesharecdn.com/carbonblackcloud-endpointadvanceduserguide-240709134921-f72dfce9/85/Carbon-Black-Cloud-Endpoint-Advanced-User-Guide-pdf-14-320.jpg)
![NOT returns results when a term is not present
Escaping
Slashes, colons, and spaces must be manually escaped, except when using suggestions and lters.
Date/Time Ranges
Re ne queries using date/time ranges, when applicable.
e.g., device_timestamp: [2018-10-25T14:00:00Z TO 2018-10-26T15:00:00Z]
Count Searches
Re ne queries that include counts with ranges and wildcards.
[3 TO *] Returns count results starting with a value of 3.
[* TO 10] Returns counts results up to a value of 10.](https://image.slidesharecdn.com/carbonblackcloud-endpointadvanceduserguide-240709134921-f72dfce9/85/Carbon-Black-Cloud-Endpoint-Advanced-User-Guide-pdf-20-320.jpg)
![Command Description
cd [dir] Change the current working directory. Options include absolute, relative, drive-speci c, and network share paths.
clear Clear the console screen; you can also use the cls command for this purpose.
delete [path] Delete the le speci ed in the path argument. The le is permanently deleted; it is not sent to the Recycle Bin.
detach Detach from the current Live Response session. If a session has no attachments, it remains live until it times out ( ve minutes
by default). The same action is performed by the End my session button.
detach -q Terminate the current Live Response session. If a session has other users attached, these users will also be detached from the
session.
dir Return a list of les in the current directory.
drives List the drives on the remote endpoint. This is for Windows only.
exec
[processpath]
Execute a background process speci ed in the processpath argument on the current remote endpoint. By default, process
execution returns immediately and output is to stdout and stderr.
Options can be combined:
exec -o output le processpath: Redirect the process output to the speci ed remote le, which you can
download.
exec -w processpath: Wait for the process to exit before returning.
You can combine the options as shown in the following example to execute and capture the output from a script:
exec -o c:output.txt -w
c:scriptssome_script.cmd
You must provide the full path to the process for the processpath argument.
c:windowssystem32notepad.exe
execfg Execute a process on the current remote endpoint and return stdout/stderr.
execfg -o: Write temporary command output to remote le. Launch a process on the remote endpoint, wait for it to
complete and return stdout/stderr. Use the -o to write stdout and stderr content to a speci c le before returning it
to the Live Response session.
get [path] Obtain the le that is speci ed in the path argument from the remote endpoint and download it to the local endpoint.
help Show the Live Response session commands with a brief description of each. If a command name is added, show the
description of the speci ed command, with additional details (such as options) if available.
For example:help dir
kill Terminate the speci ed process.
memdump
[ lepath]
Take a full system memory dump and store it to the given le path, which must include a le name.
Memory dumps can take several minutes, and an (*) icon in the Live Response window indicates that it is still in progress. This
is for Windows only.
mkdir Make a directory on the remote endpoint.
ps or tasklist Obtain a list of processes from the remote endoint.
Analysis information for a newly discovered process might not yet be fully committed to the Carbon Black Cloud database and
therefore not viewable.
put
[remotepath]
Put a le from the local endpoint onto the remote endpoint at the speci ed path. You specify the le in the Open dialog of the
browser, after the command is entered in Live Response.
pwd Print the current working directory.](https://image.slidesharecdn.com/carbonblackcloud-endpointadvanceduserguide-240709134921-f72dfce9/85/Carbon-Black-Cloud-Endpoint-Advanced-User-Guide-pdf-85-320.jpg)
![Command Description
reg View or modify Windows registry settings (Windows endpoints only). The syntax of this command is:
reg [action] [key] [options]](https://image.slidesharecdn.com/carbonblackcloud-endpointadvanceduserguide-240709134921-f72dfce9/85/Carbon-Black-Cloud-Endpoint-Advanced-User-Guide-pdf-86-320.jpg)
![Send sensor installation request email
You can invite users to download a Carbon Black Cloud sensor by sending an installation request email. The
installation code will expire after seven (7) days.
This method is useful when you have a small number of sensors to install, or when software distribution
tools are not available.
Notes:
This method is not available for Linux sensors; use command line installation instead.
With the release of the Windows 3.6 sensor, you can supply either the installation code or the
company code to install the sensor.
Invite users to install sensors
1. Notify end users that they will receive an installation request email from noreply@carbonblack.com.
See our sample email template below.
2. Click Sensor Options in the top right, then Send installation request.
3. Enter the end users’ email addresses, then click Send. End users must have administrative privileges on
their own endpoint to install the sensor.
4. In the email, end users will click on the appropriate OS installer link to download the sensor.
5. When prompted during installation, end users will enter the Activation Code included in the email. This
code expires in 7 days.
Note: If a user's installation code has expired, you can select the sensor from the table, click Take Action,
and then Send new installation code.
Sample email template
Hello,
You'll receive an email from noreply@carbonblack.com inviting you to install a Carbon Black Cloud sensor on your endpoint device. If you don’t see this
email, please check your junk folder.
Click on the appropriate installer link for your operating system to install the sensor. If you're using a Windows OS, we recommend that you select the
[32/64] bit option.
During installation, you’ll be asked to input the Activation Code included in the email. We recommend that you copy and paste this code into a plain text
editor, then copy and paste it into the installer. The code will expire in one week.](https://image.slidesharecdn.com/carbonblackcloud-endpointadvanceduserguide-240709134921-f72dfce9/85/Carbon-Black-Cloud-Endpoint-Advanced-User-Guide-pdf-87-320.jpg)
Carbon Black Cloud - Endpoint Advanced User Guide.pdf
- 2. Copyrights and notices Copyright © 2011–2020 VMware, Inc. All rights reserved. Carbon Black is a registered trademark and/or trademark of VMware, Inc. in the United States and other countries. All other trademarks and product names be the trademarks of their respective owners. This document is for use by authorized licensees of Carbon Black’s products. It contains the con dential and proprietary information of Carbon Black, Inc. and may be used by authorized licensees solely in accordance with the license agreement and/or non-disclosure agreement governing its use. This document may not be reproduced, retransmitted, or redistributed, in whole or in part, without the written permission of Carbon Black. Carbon Black disclaims all liability for the unauthorized use of the information contained in this document and makes no representations or warranties with respect to its accuracy or completeness. Users are responsible for compliance with all laws, rules, regulations, ordinances and codes in connection with the use of the Carbon Black products. THERE IS NO WARRANTY FOR THE SOFTWARE, TO THE EXTENT PERMITTED BY APPLICABLE LAW, EXCEPT AS OTHERWISE EXPRESSLY STATED IN A WRITTEN END USER LICENSE AGREEMENT BETWEEN CARBON BLACK AND LICENSEE. THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE SOFTWARE "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE SOFTWARE IS WITH LICENSEE. SHOULD THE SOFTWARE PROVE DEFECTIVE, EXCEPT AS OTHERWISE AGREED TO BY CARBON BLACK IN THE APPLICABLE END USER LICENSE AGREEMENT, LICENSEE ASSUMES THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. Carbon Black acknowledges the use of the following third-party software in its software product: Antlr python runtime - Copyright (c) 2010 Terence Parr Backbone - (c) 2010–2012 Jeremy Ashkenas, DocumentCloud Inc. Beautifulsoup - Copyright (c) 2004– 2015 Leonard Richardson D3 - Copyright (c) 2010–2015, Michael Bostock FileSaver - Copyright (c) 2015 Eli Grey. Detours Professional 3.0 License - Copyright (c) Microsoft Corporation. All rights reserved. Portions are covered by patents owned by Microsoft Corporation. Heredis - Copyright (c) 2009–2011, Salvatore San lippo and Copyright (c) 2010–2011, Pieter Noordhuis Java memcached client - Copyright (c) 2006–2009 Dustin Sallings and Copyright (c) 2009–2011 Couchbase, Inc. Jedis - Copyright (c) 2010 Jonathan Leibiusky jQuery - Copyright 2005, 2014 jQuery Foundation, Inc. and other contributors Libcurl - Copyright (c) 1996 - 2015, Daniel Stenberg, daniel@haxx.se. libfreeimage.a - FreeImage open source image library. Meld3 - Supervisor is Copyright (c) 2006–2015 Agendaless Consulting and Contributors. moment.js - Copyright (c) 2011–2014 Tim Wood, Iskren Chernev, Moment.js contributors MonthDelta - Copyright (c) 2009–2012 Jess Austin
- 3. nginx - Copyright (c) 2002–2014 Igor Sysoev and Copyright (c) 2011–2014 Nginx, Inc. OpenSSL - Copyright (c) 1998–2011 The OpenSSL Project. All rights reserved. OpenSSL - Copyright (c) 1998–2016 The OpenSSL Project, Copyright (c) 1995–1998 Eric Young, Tim Hudson. All rights reserved. PolarSSL - Copyright (C) 1989, 1991 Free Software Foundation, Inc. PostgreSQL - Portions Copyright (c) 1996–2014, The PostgreSQL Global Development Group and Portions Copyright (c) 1994, The Regents of the University of California PostgreSQL JDBC drivers - Copyright (c) 1997–2011 PostgreSQL Global Development Group Protocol Buffers - Copyright (c) 2008, Google Inc. Pyrabbit - Copyright (c) 2011 Brian K. Jones Python decorator - Copyright (c) 2008, Michele Simionato Python ask - Copyright (c) 2014 by Armin Ronacher and contributors Python gevent - Copyright Denis Bilenko and the contributors, http://www.gevent.org (http://www.gevent.org) Python gunicorn - Copyright 2009–2013 (c) Benoit Chesneau benoitc@e-engura.org and Copyright 2009–2013 (c) Paul J. Davis paul.joseph.davis@gmail.com Python haigha - Copyright (c) 2011–2014, Agora Games, LLC All rights reserved. Python hiredis - Copyright (c) 2011, Pieter Noordhuis Python html5 library - Copyright (c) 2006–2013 James Graham and other contributors Python Jinja - Copyright (c) 2009 by the Jinja Team Python Markdown - Copyright 2007, 2008 The Python Markdown Project Python ordereddict - Copyright (c) Raymond Hettinger on Wed, 18 Mar 2009 Python psutil - Copyright (c) 2009, Jay Loden, Dave Daeschler, Giampaolo Rodola’ Python psycogreen - Copyright (c) 2010–2012, Daniele Varrazzo daniele.varrazzo@gmail.com Python redis - Copyright (c) 2012 Andy McCurdy Python Seasurf - Copyright (c) 2011 by Max Countryman. Python simplejson - Copyright (c) 2006 Bob Ippolito Python sqlalchemy - Copyright (c) 2005–2014 Michael Bayer and contributors. SQLAlchemy is a trademark of Michael Bayer. Python sqlalchemy-migrate - Copyright (c) 2009 Evan Rosson, Jan Dittberner, Domen Kozar Python tempita - Copyright (c) 2008 Ian Bicking and Contributors Python urllib3 - Copyright (c) 2012 Andy McCurdy Python werkzeug - Copyright (c) 2013 by the Werkzeug Team, see AUTHORS for more details. QUnitJS - Copyright (c) 2013 jQuery Foundation, http://jquery.org/ (http://jquery.org/) RabbitMQ - Copyright (c) 2007–2013 GoPivotal, Inc. All Rights Reserved. redis - Copyright (c) by Salvatore San lippo and Pieter Noordhuis
- 4. Rekall - Copyright (c) 2007-2011 Volatile Systems, Copyright (c) 2013-2016 Google Inc. All Rights Reserved. Simple Logging Facade for Java - Copyright (c) 2004–2013 QOS.ch Six - Copyright (c) 2010–2015 Benjamin Peterson Six - yum distribution - Copyright (c) 2010–2015 Benjamin Peterson Spymemcached / Java Memcached - Copyright (c) 2006–2009 Dustin Sallings and Copyright (c) 2009– 2011 Couchbase, Inc. Supervisord - Supervisor is Copyright (c) 2006–2015 Agendaless Consulting and Contributors. Underscore - (c) 2009–2012 Jeremy Ashkenas, DocumentCloud Inc. Zlib - Copyright (c) 1995–2013 Jean-loup Gailly and Mark Adler Permission is hereby granted, free of charge, to any person obtaining a copy of the above third-party software and associated documentation les (collectively, the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notices and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE LISTED ABOVE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Carbon Black, Inc. 1100 Winter Street, Waltham, MA 02451 USA Tel: 617.393.7400 Fax: 617.393.7499 Email: support@carbonblack.com Web: http://www.carbonblack.com (http://www.carbonblack.com)
- 5. Dashboard The dashboard provides a high-level overview of your environment and enables you to quickly navigate to items of interest. You can customize the dashboard tiles and display data for speci c time periods and policies. About dashboard widgets Customize your dashboard
- 6. About dashboard widgets Attacks Stopped Potentially Suspicious Activity Attack Stages Attacks by Vector Endpoint Health Top Alerted Devices Top Alerted Applications Attacks Stopped A summary of attacks that were stopped within the speci ed time frame and policy, due to a policy setting. Click any attack type to open the Alerts page for that type of attack. Non-Malware: Processes that were stopped due to your local banned list or malicious behavior, including dual-use les and tools. This includes the case where the reputation is good (for example, a PowerShell or Winword.exe le), but it is behaving badly. Potential Malware: Processes that could be a vessel for malware but do not have a reputation for malicious behavior. This could include MSBuild, InstallUtil, MSHTA.exe, and others. Malware: Files identi ed as having no purpose other than performing malicious actions on an endpoint for the bene t of an attacker. PUPs: Potentially Unwanted Programs. In the best case, PUPs produce annoying results (delivering popup ads), but are sometimes used to deliver malware. Potentially Suspicious Activity A summary of activities that were detected but were not stopped during the speci ed time frame and policy because of certain policy rules. Click any of the event types on the widget to open the Alerts page for the selected type of event. Attack Stages Click any bar in the Attack Stages bar graph to access the Alerts page and view more details about the associated alerts. Reconnaissance: Research, identify, and select targets. Weaponize: Create a deliverable payload. Delivery/Exploitation: Deliver and initiate code. Install/Run: Install a backdoor to allow persistent access. Command/Control: Communicate with the code from an external device. Execute Goal: Achieve objective. Attacks by Vector
- 7. The vectors through which attacks occurred within the speci ed time frame and policy. Click any percentage to open the Alerts page for the selected type of vector. Only attacks with known vectors are displayed in this widget; all attacks with unknown vectors are omitted from the display. Attacks with unknown vectors are still factored into the percentage calculations, which may cause the widget percentages to be less than 100%. Endpoint Health The status of sensors on the endpoints. Click any status to go to the Endpoints page and view the deployed sensors that are in the selected state. Red text indicates that a sensor might require some action. Active: Sensor has checked in within the last 30 days Inactive: Sensor has not checked in within the last 30 days Deregistered: Sensor was uninstalled. It will persist on Endpoints as a deregistered device until removed Eligible for update: Sensor can be updated to a more current version Quarantined: Sensor is isolated from a ecting your network with malware or other suspicious activity Bypass: Sensor is not sending data to the cloud or is placed here temporarily during an update Top Alerted Devices A list of the devices that have received the most alerts within the speci ed time frame. Top Alerted Applications A list of the applications that have received the most alerts within the speci ed time frame.
- 8. Customize your dashboard Con gure dashboard widgets You can add, remove, resize, and drag and drop to rearrange widgets on the dashboard. To con gure your dashboard 1. Click Con gure Dashboard. To remove a widget, click the red circle on the widget. To add a widget, click More Widgets and select a widget to drag and drop onto the dashboard. 2. Click Save Con guration. Filter data on dashboard Data in the dashboard can be ltered by: Time frame: Set the time frame to view data speci cally during that window. Select an existing window or create a custom one. Selecting All available from the dropdown will display the last 13 months of data, if available. Note: The Endpoint Health widget is not a ected by the time window and optional data ltering. Alert severity: Set the severity score to show only a certain range of values. The default value is 3. All alerts with the selected or higher severity score will display. Group alerts: Set Group alerts to ON or OFF to view like alerts collectively or individually. The default value is OFF. Include other observed activity: Other observed activity indicates interesting activity that has not been raised to the level of an alert. This is disabled by default. Include dismissed alerts: Alerts that have been previously dismissed. This is disabled by default. Click Export All to export all the data on the dashboard page to a CSV le. Alternatively, download any individual data set by clicking the down-arrow in that widget.
- 9. Alerts Overview Alerts are indicators of known threats or potential risks to your environment. Regularly review alerts to determine whether action needs to be taken or policies need to be modi ed. Alert Details To expand and view alert details, double-click and alert row in the table. Alert details, types, and severity Group alerts About TTPs and MITRE Techniques TTP Reference MITRE Techniques Reference Triage and Remediation Dismiss alerts Analyze alerts on Alert Triage Note: Advanced Scripting Prevention alerts do not have access to the Alert Triage page. Search Help Search Basics Note: Timestamps within the console are displayed in the user's local time zone. Hover over timestamps to view your local time in relation to the UTC time zone.
- 10. Alert details, types, and severity Alert details To view more details, double-click an alert or click the > to the right of the Actions column. The expanded, right-side panel includes sections for more information on the alert's primary process and device. Click Show details to further expand each section. View or add alert notes and tags at the bottom of the expanded right-panel in the Notes & Tags section. In the table, the Status column will show Policy Applied with a red shield icon if an action was taken by a policy on the alert. Alert types Alerts can come from two sources: USB Device Control or CB Analytics. View alerts from each source by using the Type lter. USB Device Control alerts When an end user tries to access a blocked USB device, a deny policy action is triggered, resulting in an alert. USB Device Control alerts cannot be triaged or investigated. To view and manage USB Device Control alerts: 1. On the Alerts page, lter results by selecting USB Device Control in the Type lter. 2. Double-click an alert or click the > to the right of the Actions column to view the expanded right-side panel. In this panel, view device details like vendor ID, product ID, and serial number. 3. Click Approve and approve a blocked USB device, or go to the USB Devices Inventory page to view all devices detected in your environment. CB Analytics alerts CB Analytics alerts are detections generated by the Carbon Black Cloud analytics engine. These alerts are further separated into two categories, indicated by the color of the alert: Threat: Coded with the color red, located in the Priority lter. These alerts are highly likely to be malicious activity. All Watchlists alerts are grouped in the Threat category. Observed: Coded with the color yellow, located in the Other Activity lter. These alerts are observed behaviors which have not been escalated to a degree which would indicate a threat or require action. Useful for additional context when conducting investigations. We recommend only selecting the Threat box in the lters panel when reviewing your queue of CB Analytics alerts to help prioritize and focus your analysis. Alert severity Alert severity indicates the relative importance of an alert. Click the S column to sort the alerts in your queue by severity score and identify which alerts might require immediate attention.
- 11. Severity 1-2: Activities such as port scans, malware drops, changes to system con guration les, persistence, etc. Severity 3-5: Activities such as malware running, generic virus-like behavior, monitoring user input, potential memory scraping, password theft, etc. Severity 6-10: Activities such as reverse command shells, process hollowing, destructive malware, hidden processes and tool sets, applications that talk on the network but should not, etc. Target value The target value acts as a multiplier when calculating the threat level of an alert. Target values are de ned by the policy to which an endpoint belongs. The target value is indicated by the number of lled bars under the T column in the alerts table. Low: One bar. Results in a lower threat level. Medium: Two bars. The baseline target value; does not add a multiplier. High/Mission Critical: Three or four bars. Both values increase the threat level under the same circumstances. You may see two or more alerts with identical descriptions but with di erent alert severities.
- 12. Group alerts About grouped alerts Similar alerts may be seen across multiple endpoints. Use the Group alerts toggle in the top right of the table to group all similar alerts occuring across multiple endpoints into a single row. Group alerts: O By default, the toggle is turned O . In this view, all alerts are displayed individually in a single alert row, even if an alert is seen on multiple devices. Alerts can only be sorted by severity when the toggle is turned O . We recommend this view to identify alert prioritization, or when actions need to be taken on an individual alert. Group alerts: On Grouped alerts are condensed into a single, alert row. Click the Devices icon in the Actions column of a grouped alert row to view all alerts within the grouping, across all devices. Alerts cannot be sorted by severity when the toggle is turned On. We recommend using the toggle On to identify the prevalence of similar alerts across your organization, or to e ciently dismiss alerts across multiple devices. When grouped, these alerts represent a singular, collective "alert grouping" or "threat", identi ed by its Threat ID. Alerts are grouped by their detected primary process and alert reason. Note: Threat ID is not currently displayed in the console. However, it can be retrieved from the URL when viewing an alert on the Alert Triage page.
- 13. Dismiss alerts To dismiss alerts 1. Turn Group Alerts to OFF to dismiss alerts on a single device; turn Group Alerts to ON to dismiss alerts on multiple devices. 2. Select the alerts you want to dismiss. 3. Click Dismiss Alert(s). 4. To dismiss all future occurrences of an alert, select If this alert occurs in the future, automatically dismiss it on all devices. Email noti cations are not associated with alert dismissals. You will still receive email noti cations for automatically dismissed future alerts. 5. Select a reason for the dismissal and use the open text box to include notes for the audit log entry. Click Dismiss. Note: Alerts can present di erent SHA-256 hashes. To dismiss an alert on multiple devices, the hash of the object must be the same. To bulk dismiss alerts 1. Select the checkbox in the top-left corner of the Alerts table to select all alerts listed on the page. 2. Click select all in the header prompt to select all alerts across all pages. 3. Click Dismiss Alert(s). 4. To dismiss all future occurrences of an alert, select If this alert occurs in the future, automatically dismiss it on all devices. Email noti cations are not associated with alert dismissals. You will still receive email noti cations for automatically dismissed future alerts. 5. Select a reason for the dismissal and use the open text box to include notes for the audit log entry. Click Dismiss.
- 14. Search Basics Value Search Use complete values when searching (e.g., powershell) or a trailing wildcard (e.g., power*). Search Fields Form queries like this when including search elds: eld:term e.g., parent_name:powershell.exe Wildcards Expand queries using wildcards. ? Matches a single character e.g.,“te?t” will return results for “test” and “text” * Matches zero or more sequential characters. e.g., “tes*” will return results for “test,” “testing,” and “tester” Leading wildcards are assumed in le extension searches. e.g., process_name:.exe Wildcards can be used in a path if you don’t quote the value and escape the following special characters with a backslash: + - && || ! ( ) { } ^ " ~ * ? : / e.g., to search for (1+1):2, type: (1+1):2 Operators Re ne queries using operators. Operators must be uppercase. AND returns results when both terms are present OR returns results when either term is present NOT returns results when a term is not present Escaping Slashes, colons, and spaces must be manually escaped, except when using suggestions and lters. Date/Time Ranges Re ne queries using date/time ranges, when applicable. e.g., device_timestamp: [2018-10-25T14:00:00Z TO 2018-10-26T15:00:00Z] Count Searches Re ne queries that include counts with ranges and wildcards. [3 TO *] Returns count results starting with a value of 3. [* TO 10] Returns counts results up to a value of 10.
- 15. Alert Triage Click the orange Take Action button to quickly add an application to the approved list or banned list, request a le upload, delete an application, or view detections in VirusTotal. Click Investigate to view and analyze an alert on the Investigate page. Take action on alerts Visualizing alerts Alert origin, behaviors, and TTPs About TTPs and MITRE Techniques TTP Reference MITRE Techniques Reference
- 16. Take action on alerts In addition to the functions available from the Take Action button, there are several other actions you can take on your CB Analytics alerts. Dismiss or undismiss Click Dismiss or Undismiss to take the desired action on an alert. Use the arrow buttons to quickly scroll between alerts. Dismiss alerts across devices or in bulk on the Alerts page. Add notes and tags In the Notes and Tags tab, add relevant information about an alert. Adding notes and tags allows for easy search and ltering of alerts, as well as a means of communication between console users. Quarantine a device triggered by an alert Click Quarantine Device, then Request quarantine. Quarantining the device prevents suspicious activity and malware from a ecting the rest of your network. A device remains in quarantine until it is removed from the quarantined state. It can take several minutes to place a device in quarantine. To remove a device from quarantine, click Unquarantine device(s). Use Live Response Click Go Live to initiate a Live Response session. Use Live Response to perform remote investigations, contain ongoing attacks, and remediate threats. Users must be assigned a role with Live Response permissions in the Carbon Black Cloud to use the Live Response functionality. Live Response is available on endpoints running a version 3.0 or later sensor and which have been assigned a policy with Live Response enabled. Live Response can be used on devices in bypass mode or quarantine.
- 17. Visualizing alerts Access a visualization, or process tree, of your alerts by clicking the Alert Triage icon from the Alerts page. Each event in the attack stream (process, le, or network connection) is shown in the process tree as a node with the attack origin displayed on the left and each subsequent event shown from left to right as the attack progressed. Click a node to view additional information and take action in the Selected Node collapsible panel. Node Types Operating System/Root Node: The root node at the far left of the process tree represents the host device on which the original activity took place. The root node icon represents the operating system that was running on the device. Gears/Processes: Processes that have run or are still running. Documents/Files: Files that were created on disk. Network Connections/IP addresses: IP addresses are shown as network connection icons. Note: If an operation is denied, an exclamation point (!) displays next to the denied process. If a process is terminated, an X displays next to the terminated process. Line Types Invoked: A solid line indicates that one process invoked another process, le, or network connection. Injected: A dashed line indicates that one process injected code into another process. Read Memory: A dotted and dashed line indicates that one process attempted to read the virtual memory of another process (but did not inject into the process). Accessed Target: A dotted line indicates that one process attempted to enter another process (but did not inject into the process).
- 18. Alert origin, behaviors, and TTPs Access origin and behavior details about your alerts by clicking the Alert Triage icon. Alert origin: Describes how the primary process for the alert was introduced onto the host, including information about how the primary process was written to disk. Alert behaviors based on severity: Describes alert behaviors based on severity and displays an interactive TTP graph. Segments of the graph indicate the . Click a category label or graph segment to see a category’s related TTPs, color coded by severity. TTP color severity legend Dark red: Severe Bright red: High Orange: Medium Yellow: Low Gray: None Learn more about TTPs and MITRE TIDs. Alert behavior categories Process Manipulation: Behaviors with intent to modify and/or read the memory of other processes that are running on the device. Example: Injects code into the memory of another process. Generic Suspect: Behaviors that are generic to multiple malware families, commonly exhibited by known "good" applications. Example: Attempts to persist beyond the reboot of a device and enumerating the running processes on a system. Data at Risk: Behaviors with intent to compromise the con dentiality, availability, or integrity of data on endpoints. Example: Ransomware-type behaviors or attempts to access user credentials. Emerging Threats: Behaviors associated with non-malware attacks. Example: Abuse of native command line utilities such as PowerShell, and/or the exploitation of related activities such as bu er over ows. Malware & Application Abuse: TTPs that are related to les with a generally known "bad" reputation, or applications seen executing les with known bad reputations. Note: This category also represents the monitoring of the execution of system applications. However, these TTPs are given a lower priority rating because of the high likelihood of being non-malicious actions. Network Threat: Contains all TTPs that involve a process that is either communicating over the network or listening for incoming connections.
- 19. Investigate Investigate and analyze the details of every event stored in the Carbon Black Cloud, including all failed and successful operations performed by applications and processes on endpoints. Process details Learn more about accessing details about your events and processes, how to take action, and about the data that populates from your search results. Enriched Events: Events, Applications, Devices, Network Note: When utilizing a search query including either "enriched:true" or "legacy:true", some data elds may populate with an empty placeholder value. Empty values are highly unlikely to appear in non-legacy data results. Search basics Use the advanced search capabilities on this page to nd more detailed information about alerts, conduct investigations, and gain org-wide visibility into the prevalence of events and processes running in your environment. Use the Search Guide at the top of the page to access a full list of available search terms to help you create advanced queries. Value Search Use complete values when searching (e.g., powershell) or a trailing wildcard (e.g., power*). Search Fields Form queries like this when including search elds: eld:term e.g., parent_name:powershell.exe Wildcards Expand queries using wildcards. ? Matches a single character e.g.,“te?t” will return results for “test” and “text” * Matches zero or more sequential characters. e.g., “tes*” will return results for “test,” “testing,” and “tester” Leading wildcards are assumed in le extension searches. e.g., process_name:.exe Wildcards can be used in a path if you don’t quote the value and escape the following special characters with a backslash: + - && || ! ( ) { } ^ " ~ * ? : / e.g., to search for (1+1):2, type: (1+1):2 Operators Re ne queries using operators. Operators must be uppercase. AND returns results when both terms are present OR returns results when either term is present
- 20. NOT returns results when a term is not present Escaping Slashes, colons, and spaces must be manually escaped, except when using suggestions and lters. Date/Time Ranges Re ne queries using date/time ranges, when applicable. e.g., device_timestamp: [2018-10-25T14:00:00Z TO 2018-10-26T15:00:00Z] Count Searches Re ne queries that include counts with ranges and wildcards. [3 TO *] Returns count results starting with a value of 3. [* TO 10] Returns counts results up to a value of 10.
- 21. Investigate - Enriched Events The Carbon Black Cloud analyzes un ltered data on all endpoints to highlight events that may be of interest based on types of behavior more likely to be associated with malicious activity, including 110+ core behaviors known to be leveraged by attackers. These events are called enriched events. Four tabs, each with a focused perspective, o er alternative ways to view information about the events in your environment. Events Applications Devices Network Note: Timestamps in the console are displayed in the user's local time zone. Hover over timestamps to view the local time relative to the UTC time zone. Events The Events tab is the default view. It shows every event stored in the Carbon Black Cloud, including all failed and successful operations performed by applications and processes on endpoints. Click the caret to open up additional process and event type information in the right-side panel. Click the dropdown arrow next to the process name to take action on the process. Click More to view additional device details and take action on the device. Title Description Time Date and time when the event occurred. Type The type of event. Types include: childproc (child process), lemod ( le modi cation), netconn (network connection), crossproc (cross process), and regmod (registry modi cation). Event Details associated with the event, including the application/process path, what occurred during the event, and whether the operation was successful or not. Device The registered name of the device. Applications The Applications tab displays the total number of events associated with each unique hash. Click the dropdown icon to take action on an application/process: Add to approved list/banned list: Add the application to the company approved list or company banned list. Request upload: Request an upload of the application le for your analysis. The le will be uploaded onto the Inbox page once completed. Find in VirusTotal: Find current information about the hash from various sources.
- 22. Title Description Hash The SHA-256 of the application/process. Click the hyperlinked hash to search by SHA-256 hash on the Events tab. Application The name and path of the application/process. Click the hyperlinked name to search by application/process name on the Events tab. E ective Reputation The reputation of the application/process hash as applied by the sensor at the time the event occurred. Current Cloud Reputation The real-time reputation of the application/process hash reported by the Carbon Black Cloud. Events The total number of events associated with the application/process hash. Click the hyperlinked number to search by SHA-256 hash on the Events tab. Devices The number of devices the hash has been detected on. Devices The Devices tab displays the total number of events associated with each device in your environment. Click the dropdown icon to take action on a speci ed device: Enable or disable bypass Quarantine or unquarantine a device Title Description Device The registered name of the device. Click the hyperlinked device name to see additional device details and to take action, including enable/disable bypass and quarantine/unquarantine the device. User User context in which the process was executed. Policy The policy group to which the device is registered. Click the hyperlinked policy name to view the policy on the Policies page. Group The sensor group to which the device is assigned, if applicable. Sensor groups can be viewed and managed on the Endpoints page. OS The device's operating system. Events The total number of events associated with the device. Click the hyperlinked number to search by device ID on the Events tab. Network The Network tab displays all network related events associated with each device and application/process in your environment. Click the caret to open up additional process and network connection information in the right-side panel. Click the dropdown arrow next to the process name to take action on the process. Click More to view additional device details and take action on the device.
- 23. Title Description Device time The time when the network connection occurred. Device The registered name of the device. Click the hyperlinked device name to see additional device details and to take action, including enable/disable bypass and quarantine/unquarantine the device. Process The name and path of the application/process. Click the hyperlinked name to see a visualization of the network connection on the process tree. Source The source IP address. Destination The destination IP to which the connection was made. Location The geographical location of the remote network connection. Protocol Network protocol related to the network connection. Port Destination port of the network connection initiated or received by the process.
- 24. TTPs and MITRE Techniques Tactics, Techniques, and Procedures (TTPs) are behaviors, methods, or patterns of activity used by a threat actor, or group of threat actors. MITRE Techniques are derived from MITRE ATT&CK™. This framework provides a list of common tactics, techniques, and procedures that can be used to discover potential threats and identify areas of risk and improvement in your environment. The framework is comprised of 12 Tactics and over 300 Techniques, which adversaries use to compromise systems and enterprises. Carbon Black TTPs Events and alerts are tagged with Carbon Black TTPs to provide context around attacks and behaviors leading up to attacks that are detected and prevented by policy actions. Carbon Black TTPs present as fully colored pills, based on severity. TTP color severity legend Dark red: Critical Bright red: High Orange: Medium Yellow: Low Gray: None Black: Policy action Use the TTP Reference for a full list and description of all Carbon Black TTPs. MITRE Techniques Events and alerts may also be tagged with MITRE Techniques, derived from MITRE ATT&CK™. MITRE techniques appear alongside TTPs and always have a "mitre_" pre x, followed by the Technique ID, and the Technique name. They present as hollow pills with a colored border, based on severity. MITRE TID color severity legend Dark red border: Critical Bright red border: High Orange border: Medium Yellow border: Low Click a MITRE Technique pill to learn more on the MITRE ATT&CK™ (https://attack.mitre.org/) website, and use the MITRE Techniques Reference for a full list of MITRE techniques in the Carbon Black Cloud console.
- 25. TTP Reference Tactics, Techniques, and Procedures (TTPs) are behaviors, methods, or patterns of activity used by a threat actor, or group of threat actors. Events and alerts are tagged with TTPs to provide context around attacks and behaviors leading up to attacks that are detected and prevented by policy actions. Events and alerts may also be tagged with MITRE Techniques. See the MITRE Techniques Reference for a full list of MITRE techniques in the Carbon Black Cloud console. Important: VMware Carbon Black is replacing the terms blacklist and whitelist with banned list and approved list. Notice will be provided in advance of terminology updates to APIs, TTPs, and Reputations.
- 26. Tag Where It’s Detected Category How It’s Set Description ACCESS_CALENDAR (Severity: Medium) Sensor Data at Risk A lesystem lter driver is set to identify a read access based on target le extension. Access the calendar application data les. For example Outlook. ACCESS_CLIPBOARD (Severity: Medium) Sensor Data at Risk The Win32 API GetClipboardData() is called. Access clipboard application data. ACCESS_CONTACTS (Severity: Medium) Sensor Data at Risk A lesystem lter driver is set to identify a read access based on target le extension. Access contact list/phone list application data. ACCESS_DATA_FILES (Severity: Medium) Sensor Data at Risk A lesystem lter driver is set to identify a read access based on target le extension. Access data les. ACCESS_EMAIL_DATA (Severity: Medium) Sensor Data at Risk A lesystem lter driver is set to identify a read access based on target le extension. Access email contents. ACTIVE_CLIENT (Severity: Low) Sensor Network Threat A network lter driver is set to identify the successful initiation of IPv4 or IPv6 connections. Application successfully initiated a network connection. ACTIVE_SERVER (Severity: Medium) Sensor Network Threat A network lter driver is set to identify accepted IPv4 or IPv6 connections. Application successfully accepted a network connection. ADAPTIVE_WHITE_APP (Severity: None) Analytics Malware & Application Abuse A hash lookup has identi ed an executable with reputation: ADAPTIVE_WHITE_APP. App is also (not signed) and (new i.e. age < 30 days). An unknown application that scanned clean. ATTEMPTED_CLIENT (Severity: Low) Sensor Network Threat A network lter driver is set to identify the unsuccessful initiation of IPV4 or IPv6 connections. Application attempted to initiate a network connection (and failed). ATTEMPTED_SERVER (Severity: None) Sensor Network Threat A network lter driver is set to identify the unsuccessful acceptance of IPV4 or IPv6 connections. Application attempted to accept a network connection (and failed). BEACON (Severity: Medium) Analytics Network Threat A failed network socket connection was enforced at the network lter driver, including the use of userland hooks. Low Reputation application (ADAPTIVE_WHITE or worse) running for the rst time attempted to beacon over http/s to a server, unsuccessfully. BUFFER_OVERFLOW_CALL (Severity: Medium) Sensor Emerging Threats Userland hooks are set to identify API calls from writeable memory. Application attempted a system call from a bu er over ow. BYPASS_POLICY (Severity: High) Sensor Emerging Threats Identi ed a driver callback that includes specially crafted command line arguments. Application attempted to bypass the device’s default security policy. CODE_DROP (Severity: Medium) Sensor Malware & Application Abuse A lesystem lter driver is set to identify the creation of a new binary or script, based on target le extension. Application dropped an executable or script. COMPANY_BLACKLIST (Severity: High) Sensor Malware & Application Abuse The hash of an binary has been banned from executing, placed on the COMPANY_BLACKLIST. Application is on the company banned list.
- 27. Tag Where It’s Detected Category How It’s Set Description COMPROMISED_PARENT (Severity: None) Sensor Process Manipulation Userland hooks are set to identify processes that complete bu er over ow, process hollowing or code injection by compromised app such as, email, o ce, or browsers apps. Parent process has been compromised due to process modi cations such as bu er over ow, code injection, or process hollowing. COMPROMISED_PROCESS (Severity: Medium) Sensor Process Manipulation Userland hooks are set to identify processes that complete bu er over ow, process hollowing or code injection by compromised app such as, email, o ce, or browsers apps. Process has been compromised due to process modi cations such as bu er over ow, code injection, or process hollowing. CONNECT_AFTER_SCAN (Severity: None) Analytics Network Threat Analytics checks to see if a connection has been made after an initial port scan. A connection has been made after an initial port scan. COPY_PROCESS_MEMORY (Severity: High) Sensor Data at Risk Userland hooks are set to identify an application that took a memory snapshot of another process. Application took a memory snapshot of another process DATA_TO_ENCRYPTION (Severity: None) Sensor Data at Risk A process attempts to modify a ransomware canary le. An application tried to modify one of the special ransomware canary les that the Carbon Black Cloud placed in the le system. These les are sensor- controlled and should never be modi ed by any application other than the Carbon Black Cloud. DETECTED_BLACKLIST_APP (Severity: High) Sensor & Analytics Malware & Application Abuse Hash of discovered executable has reputation: COMPANY_BLACKLIST. A Blacklisted application has been detected on the lesystem. DETECTED_MALWARE_APP (Severity: High) Sensor & Analytics Malware & Application Abuse Hash or local scan of discovered executable has reputation: KNOWN_MALWARE Malware application has been detected on the lesystem. DETECTED_PUP_APP (Severity: High) Sensor & Analytics Malware & Application Abuse Hash or local scan of discovered executable has reputation: PUP Potentially Unwanted Application (PUP) has been detected on the lesystem. DETECTED_SUSPECT_APP (Severity: High) Sensor & Analytics Malware & Application Abuse Hash or local scan of discovered executable has reputation: SUSPECT_MALWARE Suspect Application has been detected on the lesystem. DUMP_PROCESS_MEMORY (Severity: Medium) Sensor Data at Risk Userland API hooks are set to detect a process memory dump. Application created a memory dump of another process on the lesystem EMAIL_CLIENT (Severity: Low) Sensor Network Threat A network lter driver is set to identify client connections that use an email protocol (e.g.SMTP, SMTPS, POP3, POP3S. IMAP, IMAP2, IMAPS). Non-Email application (i.e. unknown) is acting like an email client and sending data on an email port. ENUMERATE_PROCESSES (Severity: Medium) Sensor Generic Suspect Userland API hooks are set to detect process enumeration. Process is attempting to obtain a list of other processes executing on the host.
- 28. Tag Where It’s Detected Category How It’s Set Description FAKE_APP (Severity: High) Analytics Malware & Application Abuse A lesystem driver is set to identify "well known" windows applications by path (e.g. explorer, winlogin, lsass, etc) which are executed from the wrong directory. Application that is potentially impersonating a well-known application. FILE_TRANSFER (Severity: High) Sensor Network Threat A network lter driver is set to identify successfully established, connected or rejected IPV4 or IPv6 connections on FTP. Application is attempting to transfer a le over the network. FILE_UPLOAD (Severity: Medium) Analytics Network Threat Userland hooks, network lter driver and le system lter driver are set to identify processes that perform memory scraping followed by a network connection. Application is potentially uploading stolen data over the network. FILELESS (Severity: Critical) Analytics Emerging Threats A driver callback is identi ed that includes command line arguments to execute a script from command line or registry A script interpreter is acting on a script that is not present on disk. FIXED_PORT_LISTEN (Severity: Low) Sensor Network Threat An IPv4 or IPv6 network lter driver has been set to listen for connections on a xed port Application is listening on a xed port. HAS_BUFFER_OVERFLOW (Severity: Low) Sensor Emerging Threats Userland hooks are set to identify API calls from writeable memory This process has exhibited a bu er over ow. HAS_COMPROMISED_CODE (Severity: High) Sensor Process Manipulation A COMPROMISED_PROCESS has called one of a large variety of high risk functions. A compromised process had called one of multiple functions HAS_INJECTED_CODE (Severity: None) Analytics Process Manipulation The analytics keeps track if a process has been compromised and then injects code into another process. The process is running injected code. HAS_MALWARE_CODE (Severity: High) Sensor Process Manipulation A MALWARE_APP has performed a process injection using one of a variety of high risk techniques. Process has been injected into by known malware. HAS_PACKED_CODE (Severity: Low) Sensor Process Manipulation Userland hooks have identi ed an API call from writeable memory. Application contains dynamic code (i.e. writable memory & not bu er over ow). HAS_PUP_CODE (Severity: High) Sensor Process Manipulation A PUP_APP has performed a process injection using one of a variety of techniques. Process has been injected into by a PUP. HAS_SCRIPT_DLL (Severity: Low) Sensor Generic Suspect A driver routine is set to identify processes that load an in-memory script interpreter. Process loads an in-memory script interpreter. HAS_SUSPECT_CODE (Severity: High) Sensor Process Manipulation A SUSPECT_APP has performed a process injection using one of a variety of techniques. Process has been injected into by suspect malware. HIDDEN_PROCESS (Severity: High) Sensor Generic Suspect Events attributed to a process which is not visible to periodic user level process calls. Sensor has detected a hidden process.
- 29. Tag Where It’s Detected Category How It’s Set Description HOLLOW_PROCESS (Severity: None) Sensor Process Manipulation Multiple user level hooks are set to identify a speci c sequence of calls that indicate a process is being replaced with another. A technique used to hide the presence of a process, typically performed by creating a suspended process, replacing it with a malicious one. IMPERSONATE_SYSTEM (Severity: None) Analytics Process Manipulation Is set when the username that is associated with a process changes during the course of execution to NT AUTHORITYSYSTEM. Tracks the username that is associated with a process and watches for change of associated username to system/root. IMPERSONATE_USER (Severity: None) Analytics Process Manipulation Is set when the username that is associated with a process changes during the course of execution to something other than NT AUTHORITYSYSTEM. Tracks the username that is associated with a process and watches for change of associated username from system/root to that of another user. INDIRECT_COMMAND_EXECUTION (Severity: Low) Sensor Malware & Application Abuse Various system utilities may have been used to execute commands, possibly without invoking cmd. System utility used to indirectly execute another command. INJECT_CODE (Severity: Medium) Sensor Process Manipulation Multiple kernel, OS and User level techniques are set to identify applications attempting to inject code into another process space Application is attempting to inject code into another process. INJECT_INPUT (Severity: Medium) Sensor Generic Suspect Userland hooks are set to identify an attempt to inject input into process Application is attempting to inject input into process. INSTALL (Severity: Low) Sensor Generic Suspect A lesystem lter driver is set to identify the creation of new binaries or scripts based on target le extension by installer executable Install process is running. INTERNATIONAL_SITE (Severity: Low) Analytics Network Threat Geographic IP is set to identify the source or destination of IPv4 and IPv6 connections. Application attempt to communicate with a peer IP address located in another country (excluding into US) IRC (Severity: Medium) Sensor Network Threat An IPv4 or IPv6 network lter driver is set to identify connections using common IRC ports Application attempt to communicate over Internet Relay Chat port. KERNEL_ACCESS (Severity: None) Sensor Malware & Application Abuse A process attempts to modify the system's master boot record (MBR). An application attempts to directly access the system's hard drive to write data into the MBR portion of the disk. Malware uses this tactic to alter system behavior on startup. KNOWN_APT (Severity: Critical) Sensor & Analytics Malware & Application Abuse A hash lookup has identi ed a running executable that has reputation: KNOWN_MALWARE, category: APT Application is Advanced Persistent Threat. KNOWN_BACKDOOR (Severity: Critical) Sensor & Analytics Malware & Application Abuse A hash lookup has identi ed a running executable that has reputation: KNOWN_MALWARE, category: backdoor Application is a known backdoor into the system.
- 30. Tag Where It’s Detected Category How It’s Set Description KNOWN_DOWNLOADER (Severity: Critical) Sensor & Analytics Malware & Application Abuse A hash lookup has identi ed a running executable that has reputation: KNOWN_MALWARE, category: downloader Application is a known malicious downloader. KNOWN_DROPPER (Severity: Critical) Sensor & Analytics Malware & Application Abuse A hash lookup has identi ed a running executable that has reputation: KNOWN_MALWARE, category: dropper Application is a known dropper of executables KNOWN_KEYLOGGER (Severity: Critical) Sensor & Analytics Malware & Application Abuse A hash lookup has identi ed a running executable that has reputation: KNOWN_MALWARE, category: keylogger Application known to monitor keyboard input. KNOWN_PASSWORD_STEALER (Severity: Critical) Sensor & Analytics Malware & Application Abuse A hash lookup has identi ed a running executable that has reputation: KNOWN_MALWARE, category: password stealer Application known to steal passwords. KNOWN_RANSOMWARE (Severity: Critical) Sensor & Analytics Malware & Application Abuse A hash lookup has identi ed a running executable that has reputation: KNOWN_MALWARE, category: ransomware Application is known Ransomware. KNOWN_ROGUE (Severity: Critical) Sensor & Analytics Malware & Application Abuse A hash lookup has identi ed a running executable that has reputation: KNOWN_MALWARE, category: rogue Application is known as a rogue application. KNOWN_ROOTKIT (Severity: None) Sensor & Analytics Malware & Application Abuse A hash lookup has identi ed a running executable that has reputation: KNOWN_MALWARE, category: rootkit Application is a known root kit. KNOWN_WORM (Severity: Critical) Sensor & Analytics Malware & Application Abuse A hash lookup has identi ed a running executable that has reputation: KNOWN_MALWARE, category: worm Application is a known worm. LEVERAGES_SYSTEM_UTILITY (Severity: High) Analytics Emerging Threats Various system utilities may have been used to perform malicious activity. A system utility was used for potentially malicious purposes. LOW_REPUTATION_SITE (Severity: Medium) Analytics Network Threat A network lter driver is set to identify connections to a peer IP address or Domain that has a low site reputation score Application made a network connection to a peer with low reputation. MALWARE_APP (Severity: Critical) Analytics Malware & Application Abuse A hash lookup or local scanner has identi ed a running executable that has reputation: MALWARE Application is a known Malware application. MALWARE_DROP (Severity: High) Sensor Malware & Application Abuse A CODE_DROP has been detected where the dropped application has the reputation: KNOWN_MALWARE : SUSPECT_MALWARE Application dropped a malware application. MALWARE_SERVICE_DISABLED (Severity: Not applicable) Sensor Policy Action The analytics receives this info from the sensor and sets this value accordingly. Malware service detected and disabled by a policy. MALWARE_SERVICE_FOUND (Severity: Not applicable) Sensor Policy Action The analytics receives this info from the sensor and sets this value accordingly. Malware service detected by a policy.
- 31. Tag Where It’s Detected Category How It’s Set Description MODIFY_KERNEL (Severity: Critical) Sensor Process Manipulation A userland hook has identi ed a process that modi ed kernel space Application modi ed system kernel.via NullPage Allocation MODIFY_MEMORY_PROTECTION (Severity: Medium) Sensor Process Manipulation A userland hook is set to detect a process modifying the memory permissions of a secondary process Application modify memory protection settings for the process. MODIFY_OWN_PROCESS (Severity: Medium) Sensor Process Manipulation A userland hook is set to detect a process that opens a handle to itself. Application attempted to open its own process with permissions to modify itself. MODIFY_PROCESS_EXECUTION (Severity: None) Sensor Process Manipulation A userland hook is set to identify attempts to modify the execution context in another process thread. Application attempted to modify the execution context in another process thread (either EAX or EIP) MODIFY_PROCESS (Severity: Medium) Sensor Process Manipulation A userland hook is set to identify applications attempting to open another process Application attempted to open another process with permissions to modify the target. MODIFY_SENSOR (Severity: Critical) Sensor Emerging Threats A userland hook is set to identify an attempt to modify or disable the Carbon Black Cloud Sensor Tamper Protection - Application attempted to modify Carbon Black Cloud Sensor. MODIFY_SERVICE (Severity: High) Sensor Process Manipulation A userland hook is set to identify applications that attempt to control, create or delete a windows service Application attempted to control, create or delete a windows service. MONITOR_MICROPHONE (Severity: Medium) Sensor Data at Risk A userland hook is set to identify applications attempting to monitor the microphone Application attempted to monitor the microphone. MONITOR_USER_INPUT (Severity: Medium) Sensor Data at Risk A userland hook is set to identify applications attempting to monitor user input Application attempted to monitor user input (keyboard or mouse). MONITOR_WEBCAM (Severity: Medium) Sensor Data at Risk A userland hook is set to identify applications attempting to monitor the onboard camera Application attempted to monitor web camera. NETWORK_ACCESS (Severity: Low) Sensor Network Threat An IPv4 or IPv6 network lter driver has successfully initiated or accepted a network connection Application successfully initiated or accepted a network connection NON_STANDARD_PORT (Severity: None) Sensor Network Threat Network lter driver veri es ports for common protocols. Identi es non-trusted applications from making non- http requests. The process of passing network tra c on an alternative port to which it was assigned by the IANA Internet Assigned Numbers Authority (IANA); for example, passing FTP on port 8081 when it is normally con gured to listen on port 21. OS_DENY (Severity: None) Sensor Operating System Action Analytics receives this info from the sensor and sets this value accordingly. The attempted action was denied by the operating system. PACKED_CALL (Severity: Medium) Sensor Emerging Threats A userland hook is set to identify API calls from writeable memory Application attempted a system call from dynamic code (i.e. writable memory & not bu er over ow)
- 32. Tag Where It’s Detected Category How It’s Set Description PACKED_CODE (Severity: None) Analytics Process Manipulation Depending on the arguments to script interpreters and applications, this is set when the arguments are related to encoding, obfuscating, le-less execution, etc. The process contains unpacked code. PERSIST (Severity: None) Sensor Generic Suspect A le system driver is set to identify registry modi cations that enable persistence upon reboot or application removal also known as auto-start extensibility points (ASEP) Persistent application. PHISHING (Severity: None) Sensor Generic Suspect A driver callback is identi ed where an email application launches a web browser. Email client launching a browser. PHONE_HOME (Severity: Medium) Sensor Network Threat An IPv4 or IPv6 network lter driver is set to identify client connections to a host that had performed a port scan against a Sensor Application attempt to connect back to a scanning host. POLICY_DENY (Severity: Not applicable) Sensor Policy Action The analytics receives this info from the sensor and sets this value accordingly. The attempted action was denied due to policy. POLICY_TERMINATE (Severity: Not applicable) Sensor Policy Action The analytics receives this info from the sensor and sets this value accordingly. The process was terminated due to policy. PORTSCAN (Severity: None) Sensor Network Threat N consecutive scans on di erent ports from the same host are detected. A port scan is conducted. PRIVILEGE_ESCALATE (Severity: None) Analytics Process Manipulation Is set when the username that is associated with a process changes during the course of execution to “NT AUTHORITYSYSTEM” or the process has gained the admin privilege. Checks to see whether the actual SYSTEM privilege is associated with the process (not just the username context). PROCESS_IMAGE_REPLACED (Severity: None) Sensor Process Manipulation Userland hooks watch for speci c APIs being invoked that involve overwriting of the main executable section of a process, and other related manipulations such as suspending and unmapping sections. Application has had its primary executable code replaced with other code. PUP_APP (Severity: High) Analytics Malware & Application Abuse A hash lookup or local scanner has identi ed a running executable that has reputation: PUP Application is a Potentially Unwanted Program. RAM_SCRAPING (Severity: Medium) Sensor & Analytics Data at Risk User land hook is set to detect an application’s attempt to read process memory. When a process tries to scrape the memory utilized by another process. READ_PROCESS_MEMORY (Severity: Medium) Sensor Data at Risk A userland hook is set to detect applications attempting to read process memory. Application is attempting to read process memory. READ_SECURITY_DATA (Severity: High) Sensor Data at Risk A userland hook is set to detect an application attempting to read privileged security information. Application is attempting to read privileged security information (for example, lsass.exe).
- 33. Tag Where It’s Detected Category How It’s Set Description REVERSE_SHELL (Severity: High) Sensor & Analytics Emerging Threats A userland hook is set to identify a process that reads from or writes to console via a network connection Command shell (e.g. cmd.exe) interactively receiving commands from a network parent RUN_ANOTHER_APP (Severity: Low) Sensor Malware & Application Abuse A userland hook is set to identify applications that attempt to execute another application. Application attempted to execute another application. RUN_BLACKLIST_APP (Severity: High) Sensor Malware & Application Abuse A userland hook is set to identify applications that attempt to execute RUN_ANOTHER_APP and child_proc is COMPANY_BLACKLIST Application attempted to execute a blacklisted application. RUN_BROWSER (Severity: Low) Sensor Malware & Application Abuse A userland hook is set to identify applications that attempt to execute RUN_ANOTHER_APP & child_proc is a common browser executable Application attempted to execute a browser. RUN_CMD_SHELL (Severity: Low) Sensor Malware & Application Abuse A userland hook is set to identify applications that attempt to execute RUN_ANOTHER_APP and child_proc is a windows shell Application attempted to execute a command shell. RUN_MALWARE_APP (Severity: Critical) Sensor Malware & Application Abuse A userland hook is set to identify applications that attempt to execute RUN_ANOTHER_APP and child process is MALWARE_APP Application attempted to execute a malware application. RUN_NET_UTILITY (Severity: High) Sensor Malware & Application Abuse A userland hook is set to identify applications that attempt to execute RUN_ANOTHER_APP and child target process is a common network utility such as "netsh.exe" Application attempted to execute a network utility application. RUN_PUP_APP (Severity: High) Sensor Malware & Application Abuse A userland hook is set to identify applications that attempt to execute RUN_ANOTHER_APP and child process is PUP_APP Application attempted to execute a PUP application. RUN_SUSPECT_APP (Severity: High) Sensor Malware & Application Abuse A userland hook is set to identify applications that attempt to execute RUN_ANOTHER_APP and child_proc is SUSPECT_APP. Application attempted to execute a application with a suspect reputation. RUN_SYSTEM_APP (Severity: Low) Sensor Malware & Application Abuse A userland hook is set to identify applications that attempt to execute RUN_ANOTHER_APP &and child process is a system app (application or dll located in the "windows", "windowssystem32", "windowssysWOW64", "windowsWinSxS**" directories ). Application attempted to execute a systems application.
- 34. Tag Where It’s Detected Category How It’s Set Description RUN_SYSTEM_UTILITY (Severity: Medium) Sensor Malware & Application Abuse A userland hook is set to identify applications that attempt to execute RUN_ANOTHER_APP and child_proc is a system utility such as regedit. Application attempted to run a system utility (for example, regedit) RUN_UNKNOWN_APP (Severity: None) Sensor Malware & Application Abuse A userland hook is set to identify applications that attempt to execute RUN_ANOTHER_APP and child process is UNKNOWN_APP. Application tried to execute an application with unknown reputation. SCREEN_SHOT (Severity: None) Sensor Data at Risk Win32 API SendInput() is used to synthesize a PrintScreen key press or Win32 API CreateCompatibleBitmap() is called. A screenshot is taken on the machine. SECURITY_CONFIG_DOWNGRADE (Severity: High) Analytics Emerging Threats Windows Firewall or other system security con gurations have been changed or downgraded, lowering its security posture. A Windows security con guration has been downgraded. SET_APP_CONFIG (Severity: Medium) Sensor Generic Suspect A userland hook is set to identify apps that modify the registry (Microsoft O ce Security keys) or set system application con guration parameters Application set system application con guration parameters. SET_APP_LAUNCH (Severity: Medium) Sensor Generic Suspect A userland hook is set to identify apps that attempt to modify registry to e ect when or how another application may be launched (Autoruns key, Run, RunOnce, Load, Shell and Open Commands) Application attempted to modify keys to e ect when/how another application may be launched SET_BROWSER_CONFIG (Severity: Low) Sensor Generic Suspect A userland hook is set to identify apps that attempt to modify registry (Install ActiveX controls, Internet Settings, System Certi cates, Internet Explorer keys, browser helper objects, COM InProcServer) Application attempted to modify the browser settings. SET_LOGIN_OPS (Severity: Medium) Analytics Emerging Threats Set by monitoring registry modi cations to keys related to Win log on process. Application attempted to modify process associated with Win log on or user name. SET_REBOOT_OPS (Severity: Low) Sensor Generic Suspect A userland hook is set to identify apps that attempt to modify registry ( BootExecute, Session Manager File Operations) Application attempted to set reboot con guration operations. SET_REMOTE_ACCESS (Severity: Medium) Sensor Emerging Threats A userland hook is set to identify apps that attempt to modify registry (SecurePipeServers winreg settings, lanman parameters, etc) Application attempted to set remote access con guration. SET_SYSTEM_AUDIT (Severity: High) Sensor Generic Suspect A userland hook is set to identify apps that attempt to modify registry (TaskManager keys, DisableRegistryTools) Application attempted to set the system audit parameters.
- 35. Tag Where It’s Detected Category How It’s Set Description SET_SYSTEM_CONFIG (Severity: Medium) Sensor Generic Suspect A userland hook is set to identify applications that attempt to modify registry such as Uninstall keys or wallpaper, as well as attempt to modify system con guration data les Application attempted to set system con g parameters. SET_SYSTEM_FILE (Severity: None) Sensor Malware & Application Abuse A process attempts to modify the system's master boot record (MBR). An application attempts to directly access the system's hard drive to write data into the MBR portion of the disk. Malware uses this tactic to alter system behavior on startup. SET_SYSTEM_SECURITY (Severity: Medium) Sensor Generic Suspect A userland hook is set to identify apps that attempt to modify registry (Autoruns key, UserInit, Run, RunOnce, Load, BootExecute, AppInit_DLLs, Shell and Open Commands, Uninstall Keys, COM InProcServer, Install ActiveX controls etc.) Application attempts to set or change system security operations. SUSPECT_APP (Severity: High) Sensor & Analytics Malware & Application Abuse A hash lookup or local scanner has identi ed a running executable that has reputation: SUSPECT. App is also (not signed) Application is suspected malicious by AV. SUSPENDED_PROCESS (Severity: Medium) Sensor Process Manipulation A userland hook is set to identify a process that was created in the suspended state A process created in a suspended state is being modi ed (pre-execution). SUSPICIOUS_BEHAVIOR (Severity: Medium) Analytics Generic Suspect A userland hook is set to identify applications executing code from dynamic memory (e.g. from a Bu er Over ow or unpacked code) and are making calls to applications which typically do not communicate on the network (e.g. "calc.exe") making network connections, etc. Application unusual behavior warrants attention. SUSPICIOUS_DOMAIN (Severity: High) Sensor & Analytics Network Threat Network lter driver is set to identify when INTERNATIONAL_SITE is an ISO 3166-1 Country Code (e.g. CU, IR, SD, SY, IQ, LY, KP, YE, etc) Application is connecting to a suspicious network domain.(based upon ISO 3166-1 country codes). SUSPICIOUS_SITE (Severity: Medium) Sensor & Analytics Network Threat An IPv4 or IPv6 network lter driver is set to identify accepted connections from a suspicious INTERNATIONAL_SITE (e.g. domains in RU, CN) Application accepts an inbound network connection from a suspicious international site. UNKNOWN_APP (Severity: None) Sensor & Analytics Malware & Application Abuse A hash lookup has identi ed a running executable that has reputation: not_listed (i.e. unknown). App is also (not signed) Application is unknown reputation.
- 36. MITRE Techniques Reference MITRE Techniques are derived from MITRE ATT&CK™ (https://attack.mitre.org/), a globally-accessible knowledge base that provides a list of common adversary tactics, techniques, and procedures. MITRE Techniques can appear alongside Carbon Black TTPs to tag events and alerts to provide context around attacks and behaviors leading up to attacks. See the TTP Reference for a full list and description of all Carbon Black TTPs. This reference lists all of the MITRE techniques currently in the Carbon Black Cloud console.
- 37. ID Name Link to Technique Details T1156 .bash_pro le and .bashrc mitre_t1156_bash_pro le_and_bashrc (https://attack.mitre.org/techniques/T1156) T1548 Abuse Elevation Control Mechanism mitre_t1548_abuse_elevation_ctrl_mech (https://attack.mitre.org/techniques/T1548) T1134 Access Token Manipulation mitre_t1134_access_token_manip (https://attack.mitre.org/techniques/T1134) T1015 Accessibility Features mitre_t1015_accessibility_features (https://attack.mitre.org/techniques/T1015) T1087 Account Discovery mitre_t1087_account_discovery (https://attack.mitre.org/techniques/T1087) T1098 Account Manipulation mitre_t1098_account_manip (https://attack.mitre.org/techniques/T1098) T1307 Acquire and/or use 3rd party infrastructure services mitre_t1307_acquire_and_or_use_3rd_party_infrastructure_services (https://attack.mitre.org/techniques/T1307) T1329 Acquire and/or use 3rd party infrastructure services mitre_t1329_acquire_and_or_use_3rd_party_infrastructure_services (https://attack.mitre.org/techniques/T1329) T1308 Acquire and/or use 3rd party software services mitre_t1308_acquire_and_or_use_3rd_party_software_services (https://attack.mitre.org/techniques/T1308) T1330 Acquire and/or use 3rd party software services mitre_t1330_acquire_and_or_use_3rd_party_software_services (https://attack.mitre.org/techniques/T1330) T1310 Acquire or compromise 3rd party signing certi cates mitre_t1310_acquire_or_compromise_3rd_party_signing_certi cates (https://attack.mitre.org/techniques/T1310) T1182 AppCert DLLs mitre_t1182_appcert_dlls (https://attack.mitre.org/techniques/T1182) T1103 AppInit DLLs mitre_t1103_appinit_dlls (https://attack.mitre.org/techniques/T1103) T1155 AppleScript mitre_t1155_applescript (https://attack.mitre.org/techniques/T1155) T1017 Application Deployment Software mitre_t1017_app_deployment_software (https://attack.mitre.org/techniques/T1017) T1138 Application Shimming mitre_t1138_app_shimming (https://attack.mitre.org/techniques/T1138) T1010 Application Window Discovery mitre_t1010_app_window_discovery (https://attack.mitre.org/techniques/T1010) T1560 Archive Collected Data mitre_t1560_archive_collected_data (https://attack.mitre.org/techniques/T1560) T1123 Audio Capture mitre_t1123_audio_capture (https://attack.mitre.org/techniques/T1123) T1131 Authentication Package mitre_t1131_auth_package (https://attack.mitre.org/techniques/T1131) T1119 Automated Collection mitre_t1119_auto_collection (https://attack.mitre.org/techniques/T1119) T1020 Automated Ex ltration mitre_t1020_auto_ex l (https://attack.mitre.org/techniques/T1020) T1139 Bash History mitre_t1139_bash_history (https://attack.mitre.org/techniques/T1139) T1009 Binary Padding mitre_t1009_binary_padding (https://attack.mitre.org/techniques/T1009) T1197 BITS Jobs mitre_t1197_bits_jobs (https://attack.mitre.org/techniques/T1197) T1547 Boot or Logon Autostart Execution mitre_t1547_boot_or_logon_auto_exec (https://attack.mitre.org/techniques/T1547) T1067 Bootkit mitre_t1067_bootkit (https://attack.mitre.org/techniques/T1067) T1217 Browser Bookmark Discovery mitre_t1217_browser_bookmark_discovery (https://attack.mitre.org/techniques/T1217) T1176 Browser Extensions mitre_t1176_browser_extensions (https://attack.mitre.org/techniques/T1176)
- 38. ID Name Link to Technique Details T1110 Brute Force mitre_t1110_brute_force (https://attack.mitre.org/techniques/T1110) T1088 Bypass User Account Control mitre_t1088_bypass_uac (https://attack.mitre.org/techniques/T1088) T1042 Change Default File Association mitre_t1042_change_default_ le_assoc (https://attack.mitre.org/techniques/T1042) T1146 Clear Command History mitre_t1146_clear_cmd_history (https://attack.mitre.org/techniques/T1146) T1115 Clipboard Data mitre_t1115_clipboard_data (https://attack.mitre.org/techniques/T1115) T1191 CMSTP mitre_t1191_cmstp (https://attack.mitre.org/techniques/T1191) T1116 Code Signing mitre_t1116_code_signing (https://attack.mitre.org/techniques/T1116) T1059 Command-Line or Script Interface mitre_t1059_cmd_line_or_script_inter (https://attack.mitre.org/techniques/T1059) T1043 Commonly Used Port mitre_t1043_common_port (https://attack.mitre.org/techniques/T1043) T1092 Communication Through Removable Media mitre_t1092_comm_thru_removable_media (https://attack.mitre.org/techniques/T1092) T1500 Compile After Delivery mitre_t1500_compile_after_delivery (https://attack.mitre.org/techniques/T1500) T1223 Compiled HTML File mitre_t1223_compiled_html_ le (https://attack.mitre.org/techniques/T1223) T1109 Component Firmware mitre_t1109_comp_ rmware (https://attack.mitre.org/techniques/T1109) T1175 Component Object Model and Distributed COM mitre_t1175_distributed_comp_object_model (https://attack.mitre.org/techniques/T1175) T1122 Component Object Model Hijacking mitre_t1122_comp_obj_model_hij (https://attack.mitre.org/techniques/T1122) T1196 Control Panel Items mitre_t1196_control_panel_items (https://attack.mitre.org/techniques/T1196) T1136 Create Account mitre_t1136_create_account (https://attack.mitre.org/techniques/T1136) T1345 Create Custom Payloads mitre_t1345_create_custom_payloads (https://attack.mitre.org/techniques/T1345) T1543 Create or Modify System Process mitre_t1543_create_or_modify_sys_proc (https://attack.mitre.org/techniques/T1543) T1003 OS Credential Dumping mitre_t1003_os_credential_dump (https://attack.mitre.org/techniques/T1003) T1555 Credentials from Password Stores mitre_t1555_creds_from_pwd_stores (https://attack.mitre.org/techniques/T1555) T1503 Credentials from Web Browsers mitre_t1503_credentials_from_web_browsers (https://attack.mitre.org/techniques/T1503) T1081 Credentials in Files mitre_t1081_cred_in_ les (https://attack.mitre.org/techniques/T1081) T1214 Credentials in Registry mitre_t1214_creds_in_reg (https://attack.mitre.org/techniques/T1214) T1094 Custom Command and Control Protocol mitre_t1094_custom_cmd_and_control_proto (https://attack.mitre.org/techniques/T1094) T1024 Custom Cryptographic Protocol mitre_t1024_custom_crypto_proto (https://attack.mitre.org/techniques/T1024) T1002 Data Compressed mitre_t1002_data_compressed (https://attack.mitre.org/techniques/T1002) T1485 Data Destruction mitre_t1485_data_destruction (https://attack.mitre.org/techniques/T1485) T1132 Data Encoding mitre_t1132_data_encoding (https://attack.mitre.org/techniques/T1132) T1022 Data Encrypted mitre_t1022_data_encrypted (https://attack.mitre.org/techniques/T1022)
- 39. ID Name Link to Technique Details T1486 Data Encrypted for Impact mitre_t1486_data_encrypted_for_impact (https://attack.mitre.org/techniques/T1486) T1213 Data from Information Repositories mitre_t1213_data_from_info_repos (https://attack.mitre.org/techniques/T1213) T1005 Data from Local System mitre_t1005_data_from_local_sys (https://attack.mitre.org/techniques/T1005) T1039 Data from Network Shared Drive mitre_t1039_data_from_network_shared_drive (https://attack.mitre.org/techniques/T1039) T1025 Data from Removable Media mitre_t1025_data_from_removable_media (https://attack.mitre.org/techniques/T1025) T1320 Data Hiding mitre_t1320_data_hiding (https://attack.mitre.org/techniques/T1320) T1001 Data Obfuscation mitre_t1001_data_obfuscation (https://attack.mitre.org/techniques/T1001) T1565 Data Manipulation mitre_t1565_data_manip (https://attack.mitre.org/techniques/T1565) T1074 Data Staged mitre_t1074_data_staged (https://attack.mitre.org/techniques/T1074) T1030 Data Transfer Size Limits mitre_t1030_data_transfer_size_limits (https://attack.mitre.org/techniques/T1030) T1207 Rogue Domain Controller mitre_t1207_rogue_domain_controller (https://attack.mitre.org/techniques/T1207) T1491 Defacement mitre_t1491_defacement (https://attack.mitre.org/techniques/T1491) T1140 Deobfuscate/Decode Files or Information mitre_t1140_deobfuscate_or_decode_ les_or_info (https://attack.mitre.org/techniques/T1140) T1089 Disabling Security Tools mitre_t1089_disabling_security_tools (https://attack.mitre.org/techniques/T1089) T1488 Disk Content Wipe mitre_t1488_disk_content_wipe (https://attack.mitre.org/techniques/T1488) T1487 Disk Structure Wipe mitre_t1487_disk_structure_wipe (https://attack.mitre.org/techniques/T1487) T1561 Disk Wipe mitre_t1561_disk_wipe (https://attack.mitre.org/techniques/T1561) T1038 DLL Search Order Hijacking mitre_t1038_dll_search_order_hij (https://attack.mitre.org/techniques/T1038) T1073 DLL Side-Loading mitre_t1073_dll_side_loading (https://attack.mitre.org/techniques/T1073) T1172 Domain Fronting mitre_t1172_domain_fronting (https://attack.mitre.org/techniques/T1172) T1483 Domain Generation Algorithms mitre_t1483_domain_generation_algorithms (https://attack.mitre.org/techniques/T1483) T1482 Domain Trust Discovery mitre_t1482_domain_trust_discovery (https://attack.mitre.org/techniques/T1482) T1189 Drive-by Compromise mitre_t1189_drive_by_compromise (https://attack.mitre.org/techniques/T1189) T1157 Dylib Hijacking mitre_t1157_dylib_hijacking (https://attack.mitre.org/techniques/T1157) T1173 Dynamic Data Exchange mitre_t1173_dynamic_data_exchange (https://attack.mitre.org/techniques/T1173) T1568 Dynamic Resolution mitre_t1568_dynamic_resolution (https://attack.mitre.org/techniques/T1568) T1514 Elevated Execution with Prompt mitre_t1514_elevated_execution_with_prompt (https://attack.mitre.org/techniques/T1514) T1114 Email Collection mitre_t1114_email_collection (https://attack.mitre.org/techniques/T1114) T1573 Encrypted Channel mitre_t1573_encrypted_channel (https://attack.mitre.org/techniques/T1573)
- 40. ID Name Link to Technique Details T1499 Endpoint Denial of Service mitre_t1499_endpoint_denial_of_service (https://attack.mitre.org/techniques/T1499) T1546 Event Triggered Execution mitre_t1546_event_triggered_exec (https://attack.mitre.org/techniques/T1546) T1480 Execution Guardrails mitre_t1480_exec_guardrails (https://attack.mitre.org/techniques/T1480) T1106 Native API mitre_t1106_native_api (https://attack.mitre.org/techniques/T1106) T1129 Shared Modules mitre_t1129_shared_modules (https://attack.mitre.org/techniques/T1129) T1048 Ex ltration Over Alternative Protocol mitre_t1048_ex l_over_alt_proto (https://attack.mitre.org/techniques/T1048) T1041 Ex ltration Over Command and Control Channel mitre_t1041_ex l_over_c2 (https://attack.mitre.org/techniques/T1041) T1011 Ex ltration Over Other Network Medium mitre_t1011_ex l_over_other_network_medium (https://attack.mitre.org/techniques/T1011) T1052 Ex ltration Over Physical Medium mitre_t1052_ex l_over_physical_medium (https://attack.mitre.org/techniques/T1052) T1190 Exploit Public-Facing Application mitre_t1190_exploit_public_facing_app (https://attack.mitre.org/techniques/T1190) T1203 Exploitation for Client Execution mitre_t1203_exploit_for_client_exec (https://attack.mitre.org/techniques/T1203) T1212 Exploitation for Credential Access mitre_t1212_exploit_for_cred_access (https://attack.mitre.org/techniques/T1212) T1211 Exploitation for Defense Evasion mitre_t1211_exploit_for_defense_evasion (https://attack.mitre.org/techniques/T1211) T1068 Exploitation for Privilege Escalation mitre_t1068_exploit_for_priv_escalation (https://attack.mitre.org/techniques/T1068) T1210 Exploitation of Remote Services mitre_t1210_exploit_of_remote_services (https://attack.mitre.org/techniques/T1210) T1133 External Remote Services mitre_t1133_external_remote_services (https://attack.mitre.org/techniques/T1133) T1181 Extra Window Memory Injection mitre_t1181_extra_window_memory_inject (https://attack.mitre.org/techniques/T1181) T1008 Fallback Channels mitre_t1008_fallback_channels (https://attack.mitre.org/techniques/T1008) T1083 File and Directory Discovery mitre_t1083_ le_and_dir_discovery (https://attack.mitre.org/techniques/T1083) T1222 File and Directory Permissions Modi cation mitre_t1222_ le_and_dir_perms_mod (https://attack.mitre.org/techniques/T1222) T1107 File Deletion mitre_t1107_ le_deletion (https://attack.mitre.org/techniques/T1107) T1006 Direct Volume Access mitre_t1006_direct_volume_access (https://attack.mitre.org/techniques/T1006) T1044 File System Permissions Weakness mitre_t1044_ le_sys_perms_weakness (https://attack.mitre.org/techniques/T1044) T1495 Firmware Corruption mitre_t1495_ rmware_corruption (https://attack.mitre.org/techniques/T1495) T1187 Forced Authentication mitre_t1187_forced_auth (https://attack.mitre.org/techniques/T1187) T1144 Gatekeeper Bypass mitre_t1144_gatekeeper_bypass (https://attack.mitre.org/techniques/T1144) T1061 Graphical User Interface mitre_t1061_graphical_user_interface (https://attack.mitre.org/techniques/T1061) T1484 Group Policy Modi cation mitre_t1484_group_policy_mod (https://attack.mitre.org/techniques/T1484) T1200 Hardware Additions mitre_t1200_hardware_additions (https://attack.mitre.org/techniques/T1200)
- 41. ID Name Link to Technique Details T1158 Hidden Files and Directories mitre_t1158_hidden_ les_and_directories (https://attack.mitre.org/techniques/T1158) T1147 Hidden Users mitre_t1147_hidden_users (https://attack.mitre.org/techniques/T1147) T1143 Hidden Window mitre_t1143_hidden_window (https://attack.mitre.org/techniques/T1143) T1564 Hide Artifacts mitre_t1564_hide_artifacts (https://attack.mitre.org/techniques/T1564) T1574 Hijack Execution Flow mitre_t1574_hijack_exec_ ow (https://attack.mitre.org/techniques/T1574) T1148 HISTCONTROL mitre_t1148_histcontrol (https://attack.mitre.org/techniques/T1148) T1179 Hooking mitre_t1179_hooking (https://attack.mitre.org/techniques/T1179) T1062 Hypervisor mitre_t1062_hypervisor (https://attack.mitre.org/techniques/T1062) T1183 Image File Execution Options Injection mitre_t1183_image_ le_exec_options_inject (https://attack.mitre.org/techniques/T1183) T1562 Impair Defenses mitre_t1562_impair_defenses (https://attack.mitre.org/techniques/T1562) T1054 Indicator Blocking mitre_t1054_indicator_blocking (https://attack.mitre.org/techniques/T1054) T1066 Indicator Removal from Tools mitre_t1066_indicator_removal_from_tools (https://attack.mitre.org/techniques/T1066) T1070 Indicator Removal on Host mitre_t1070_indicator_removal_on_host (https://attack.mitre.org/techniques/T1070) T1202 Indirect Command Execution mitre_t1202_indirect_command_execution (https://attack.mitre.org/techniques/T1202) T1490 Inhibit System Recovery mitre_t1490_inhibit_sys_recovery (https://attack.mitre.org/techniques/T1490) T1056 Input Capture mitre_t1056_input_capture (https://attack.mitre.org/techniques/T1056) T1141 Input Prompt mitre_t1141_input_prompt (https://attack.mitre.org/techniques/T1141) T1130 Install Root Certi cate mitre_t1130_install_root_certi cate (https://attack.mitre.org/techniques/T1130) T1118 InstallUtil mitre_t1118_installutil (https://attack.mitre.org/techniques/T1118) T1559 Inter-Process Communication mitre_t1559_inter_proc_comm (https://attack.mitre.org/techniques/T1559) T1208 Kerberoasting mitre_t1208_kerberoasting (https://attack.mitre.org/techniques/T1208) T1215 Kernel Modules and Extensions mitre_t1215_kernel_modules_and_extensions (https://attack.mitre.org/techniques/T1215) T1142 Keychain mitre_t1142_keychain (https://attack.mitre.org/techniques/T1142) T1570 Lateral Tool Transfer mitre_t1570_lateral_tool_transfer (https://attack.mitre.org/techniques/T1570) T1159 Launch Agent mitre_t1159_launch_agent (https://attack.mitre.org/techniques/T1159) T1160 Launch Daemon mitre_t1160_launch_daemon (https://attack.mitre.org/techniques/T1160) T1152 Launchctl mitre_t1152_launchctl (https://attack.mitre.org/techniques/T1152) T1161 LC_LOAD_DYLIB Addition mitre_t1161_lc_load_dylib_addition (https://attack.mitre.org/techniques/T1161) T1149 LC_MAIN Hijacking mitre_t1149_lc_main_hijacking (https://attack.mitre.org/techniques/T1149)
- 42. ID Name Link to Technique Details T1171 LLMNR/NBT-NS Poisoning and Relay mitre_t1171_llmnr_nbt_ns_poisoning_and_relay (https://attack.mitre.org/techniques/T1171) T1168 Local Job Scheduling mitre_t1168_local_job_scheduling (https://attack.mitre.org/techniques/T1168) T1162 Login Item mitre_t1162_login_item (https://attack.mitre.org/techniques/T1162) T1037 Logon Scripts mitre_t1037_logon_scripts (https://attack.mitre.org/techniques/T1037) T1177 LSASS Driver mitre_t1177_lsass_driver (https://attack.mitre.org/techniques/T1177) T1185 Man in the Browser mitre_t1185_man_in_the_browser (https://attack.mitre.org/techniques/T1185) T1557 Man-in-the-Middle mitre_t1557_man_in_the_middle (https://attack.mitre.org/techniques/T1557) T1036 Masquerading mitre_t1036_masquerading (https://attack.mitre.org/techniques/T1036) T1556 Modify Authentication Process mitre_t1556_modify_auth_proc (https://attack.mitre.org/techniques/T1556) T1578 Modify Cloud Compute Infrastructure mitre_t1578_modify_cloud_compute_infra (https://attack.mitre.org/techniques/T1578) T1031 Modify Existing Service mitre_t1031_modify_existing_service (https://attack.mitre.org/techniques/T1031) T1112 Modify Registry mitre_t1112_modify_registry (https://attack.mitre.org/techniques/T1112) T1170 Mshta mitre_t1170_mshta (https://attack.mitre.org/techniques/T1170) T1188 Multi-hop Proxy mitre_t1188_multi_hop_proxy (https://attack.mitre.org/techniques/T1188) T1104 Multi-Stage Channels mitre_t1104_multi_stage_channels (https://attack.mitre.org/techniques/T1104) T1026 Multiband Communication mitre_t1026_multiband_comm (https://attack.mitre.org/techniques/T1026) T1079 Multilayer Encryption mitre_t1079_multilayer_encryption (https://attack.mitre.org/techniques/T1079) T1128 Netsh Helper DLL mitre_t1128_netsh_helper_dll (https://attack.mitre.org/techniques/T1128) T1498 Network Denial of Service mitre_t1498_network_denial_of_service (https://attack.mitre.org/techniques/T1498) T1046 Network Service Scanning mitre_t1046_network_service_scanning (https://attack.mitre.org/techniques/T1046) T1126 Network Share Connection Removal mitre_t1126_network_share_connection_removal (https://attack.mitre.org/techniques/T1126) T1135 Network Share Discovery mitre_t1135_network_share_discovery (https://attack.mitre.org/techniques/T1135) T1040 Network Sni ng mitre_t1040_network_sni ng (https://attack.mitre.org/techniques/T1040) T1050 New Service mitre_t1050_new_service (https://attack.mitre.org/techniques/T1050) T1095 Non-Application Layer Protocol mitre_t1095_non_app_layer_proto (https://attack.mitre.org/techniques/T1095) T1571 Non-Standard Port mitre_t1571_non_std_port (https://attack.mitre.org/techniques/T1571) T1096 NTFS File Attributes mitre_t1096_ntfs_ le_attrib (https://attack.mitre.org/techniques/T1096) T1027 Obfuscated Files or Information mitre_t1027_obfuscate_ les_or_info (https://attack.mitre.org/techniques/T1027) T1137 O ce Application Startup mitre_t1137_o ce_app_startup (https://attack.mitre.org/techniques/T1137) T1502 Parent PID Spoo ng mitre_t1502_parent_pid_spoo ng (https://attack.mitre.org/techniques/T1502) T1075 Pass the Hash mitre_t1075_pass_the_hash (https://attack.mitre.org/techniques/T1075)
- 43. ID Name Link to Technique Details T1097 Pass the Ticket mitre_t1097_pass_the_ticket (https://attack.mitre.org/techniques/T1097) T1174 Password Filter DLL mitre_t1174_password_ lter_dll (https://attack.mitre.org/techniques/T1174) T1201 Password Policy Discovery mitre_t1201_password_policy_discovery (https://attack.mitre.org/techniques/T1201) T1034 Path Interception mitre_t1034_path_intercept (https://attack.mitre.org/techniques/T1034) T1120 Peripheral Device Discovery mitre_t1120_periph_discovery (https://attack.mitre.org/techniques/T1120) T1069 Permission Groups Discovery mitre_t1069_permission_discovery (https://attack.mitre.org/techniques/T1069) T1566 Phishing mitre_t1566_phishing (https://attack.mitre.org/techniques/T1566) T1150 Plist Modi cation mitre_t1150_plist_mod (https://attack.mitre.org/techniques/T1150) T1205 Tra c Signaling mitre_t1205_tra c_signaling (https://attack.mitre.org/techniques/T1205) T1013 Port Monitors mitre_t1013_port_monitors (https://attack.mitre.org/techniques/T1013) T1086 PowerShell mitre_t1086_powershell (https://attack.mitre.org/techniques/T1086) T1504 PowerShell Pro le mitre_t1504_powershell_pro le (https://attack.mitre.org/techniques/T1504) T1542 Pre-OS Boot mitre_t1542_pre_os_boot (https://attack.mitre.org/techniques/T1542) T1145 Private Keys mitre_t1145_private_keys (https://attack.mitre.org/techniques/T1145) T1057 Process Discovery mitre_t1057_process_discovery (https://attack.mitre.org/techniques/T1057) T1186 Process Doppelgänging mitre_t1186_process_doppelganging (https://attack.mitre.org/techniques/T1186) T1093 Process Hollowing mitre_t1093_process_hollowing (https://attack.mitre.org/techniques/T1093) T1055 Process Injection mitre_t1055_process_inject (https://attack.mitre.org/techniques/T1055) T1090 Proxy mitre_t1090_proxy (https://attack.mitre.org/techniques/T1090) T1012 Query Registry mitre_t1012_query_registry (https://attack.mitre.org/techniques/T1012) T1163 Rc.common mitre_t1163_rc_common (https://attack.mitre.org/techniques/T1163) T1164 Re-opened Applications mitre_t1164_re_opened_apps (https://attack.mitre.org/techniques/T1164) T1108 Redundant Access mitre_t1108_redundant_access (https://attack.mitre.org/techniques/T1108) T1060 Registry Run Keys / Startup Folder mitre_t1060_reg_run_keys (https://attack.mitre.org/techniques/T1060) T1121 Regsvcs/Regasm mitre_t1121_regsvcs_regasm (https://attack.mitre.org/techniques/T1121) T1117 Regsvr32 mitre_t1117_regsvr32 (https://attack.mitre.org/techniques/T1117) T1219 Remote Access Software mitre_t1219_remote_access_software (https://attack.mitre.org/techniques/T1219) T1076 Remote Desktop Protocol mitre_t1076_remote_desktop_proto (https://attack.mitre.org/techniques/T1076) T1105 Ingress Tool Transfer mitre_t1105_ingress_tool_transfer (https://attack.mitre.org/techniques/T1105) T1021 Remote Services mitre_t1021_remote_services (https://attack.mitre.org/techniques/T1021) T1563 Remote Service Session Hijacking mitre_t1563_remote_svc_session_hijack (https://attack.mitre.org/techniques/T1563) T1018 Remote System Discovery mitre_t1018_remote_sys_discovery (https://attack.mitre.org/techniques/T1018)
- 44. ID Name Link to Technique Details T1091 Replication Through Removable Media mitre_t1091_replication_thru_removable_media (https://attack.mitre.org/techniques/T1091) T1496 Resource Hijacking mitre_t1496_resource_hijacking (https://attack.mitre.org/techniques/T1496) T1014 Rootkit mitre_t1014_rootkit (https://attack.mitre.org/techniques/T1014) T1085 Rundll32 mitre_t1085_rundll32 (https://attack.mitre.org/techniques/T1085) T1494 Runtime Data Manipulation mitre_t1494_runtime_data_manip (https://attack.mitre.org/techniques/T1494) T1053 Scheduled Task or Job mitre_t1053_scheduled_task_or_job (https://attack.mitre.org/techniques/T1053) T1029 Scheduled Transfer mitre_t1029_scheduled_transfer (https://attack.mitre.org/techniques/T1029) T1113 Screen Capture mitre_t1113_screen_cap (https://attack.mitre.org/techniques/T1113) T1180 Screensaver mitre_t1180_screensaver (https://attack.mitre.org/techniques/T1180) T1064 Scripting mitre_t1064_scripting (https://attack.mitre.org/techniques/T1064) T1063 Security Software Discovery mitre_t1063_sec_software_discovery (https://attack.mitre.org/techniques/T1063) T1101 Security Support Provider mitre_t1101_security_support_provider (https://attack.mitre.org/techniques/T1101) T1167 Securityd Memory mitre_t1167_securityd_memory (https://attack.mitre.org/techniques/T1167) T1505 Server Software Component mitre_t1505_server_software_component (https://attack.mitre.org/techniques/T1505) T1035 Service Execution mitre_t1035_service_execution (https://attack.mitre.org/techniques/T1035) T1058 Service Registry Permissions Weakness mitre_t1058_service_reg_perms_weakness (https://attack.mitre.org/techniques/T1058) T1489 Service Stop mitre_t1489_service_stop (https://attack.mitre.org/techniques/T1489) T1166 Setuid and Setgid mitre_t1166_setuid_and_setgid (https://attack.mitre.org/techniques/T1166) T1051 Shared Webroot mitre_t1051_shared_webroot (https://attack.mitre.org/techniques/T1051) T1023 Shortcut Modi cation mitre_t1023_shortcut_mod (https://attack.mitre.org/techniques/T1023) T1178 SID-History Injection mitre_t1178_sid_history_inject (https://attack.mitre.org/techniques/T1178) T1218 Signed Binary Proxy Execution mitre_t1218_signed_binary_proxy_exec (https://attack.mitre.org/techniques/T1218) T1216 Signed Script Proxy Execution mitre_t1216_signed_script_proxy_exec (https://attack.mitre.org/techniques/T1216) T1198 SIP and Trust Provider Hijacking mitre_t1198_sip_and_trust_provider_hijacking (https://attack.mitre.org/techniques/T1198) T1072 Software Deployment Tools mitre_t1072_software_deployment_tools (https://attack.mitre.org/techniques/T1072) T1518 Software Discovery mitre_t1518_software_discovery (https://attack.mitre.org/techniques/T1518) T1045 Software Packing mitre_t1045_software_packaging (https://attack.mitre.org/techniques/T1045) T1153 Source mitre_t1153_source (https://attack.mitre.org/techniques/T1153) T1151 Space after Filename mitre_t1151_space_after_ lename (https://attack.mitre.org/techniques/T1151) T1193 Spearphishing Attachment mitre_t1193_spearphishing_attachment (https://attack.mitre.org/techniques/T1193)
- 45. ID Name Link to Technique Details T1192 Spearphishing Link mitre_t1192_spearphishing_link (https://attack.mitre.org/techniques/T1192) T1194 Spearphishing via Service mitre_t1194_spearphishing_via_service (https://attack.mitre.org/techniques/T1194) T1184 SSH Hijacking mitre_t1184_ssh_hijacking (https://attack.mitre.org/techniques/T1184) T1071 Standard Application Layer Protocol mitre_t1071_stnd_app_layer_proto (https://attack.mitre.org/techniques/T1071) T1032 Standard Cryptographic Protocol mitre_t1032_stnd_crypt_layer_proto (https://attack.mitre.org/techniques/T1032) T1165 Startup Items mitre_t1165_startup_items (https://attack.mitre.org/techniques/T1165) T1558 Steal or Forge Kerberos Tickets mitre_t1558_steal_or_forge_kerberos_tickets (https://attack.mitre.org/techniques/T1558) T1492 Stored Data Manipulation mitre_t1492_stored_data_manip (https://attack.mitre.org/techniques/T1492) T1553 Subvert Trust Controls mitre_t1553_subvert_trust_controls (https://attack.mitre.org/techniques/T1553) T1169 Sudo mitre_t1169_sudo (https://attack.mitre.org/techniques/T1169) T1206 Sudo Caching mitre_t1206_sudo_caching (https://attack.mitre.org/techniques/T1206) T1195 Supply Chain Compromise mitre_t1195_supply_chain_compromise (https://attack.mitre.org/techniques/T1195) T1019 System Firmware mitre_t1019_system_ rmware (https://attack.mitre.org/techniques/T1019) T1082 System Information Discovery mitre_t1082_sys_inf_discovery (https://attack.mitre.org/techniques/T1082) T1016 System Network Con guration Discovery mitre_t1016_sys_net_con g_discovery (https://attack.mitre.org/techniques/T1016) T1049 System Network Connections Discovery mitre_t1049_sys_network_connections_discovery (https://attack.mitre.org/techniques/T1049) T1033 System Owner/User Discovery mitre_t1033_sys_owner_or_usr_discovery (https://attack.mitre.org/techniques/T1033) T1569 System Services mitre_t1569_sys_svs (https://attack.mitre.org/techniques/T1569) T1007 System Service Discovery mitre_t1007_sys_service_discovery (https://attack.mitre.org/techniques/T1007) T1124 System Time Discovery mitre_t1124_sys_time_discovery (https://attack.mitre.org/techniques/T1124) T1501 Systemd Service mitre_t1501_systemd_service (https://attack.mitre.org/techniques/T1501) T1080 Taint Shared Content mitre_t1080_taint_shared_content (https://attack.mitre.org/techniques/T1080) T1221 Template Injection mitre_t1221_template_inject (https://attack.mitre.org/techniques/T1221) T1209 Time Providers mitre_t1209_time_providers (https://attack.mitre.org/techniques/T1209) T1099 Timestomp mitre_t1099_timestomp (https://attack.mitre.org/techniques/T1099) T1493 Transmitted Data Manipulation mitre_t1493_transmitted_data_manip (https://attack.mitre.org/techniques/T1493) T1154 Trap mitre_t1154_trap (https://attack.mitre.org/techniques/T1154) T1127 Trusted Developer Utilities Proxy Execution mitre_t1127_trusted_developer_util_proxy_exec (https://attack.mitre.org/techniques/T1127) T1199 Trusted Relationship mitre_t1199_trusted_relationship (https://attack.mitre.org/techniques/T1199) T1111 Two-Factor Authentication Interception mitre_t1111_two_factor_auth_intercept (https://attack.mitre.org/techniques/T1111) T1065 Uncommonly Used Port mitre_t1065_uncommonly_used_port (https://attack.mitre.org/techniques/T1065)
- 46. ID Name Link to Technique Details T1552 Unsecured Credentials mitre_t1552_unsecure_creds (https://attack.mitre.org/techniques/T1552) T1550 Use Alternate Authentication Material mitre_t1550_use_alt_auth_material (https://attack.mitre.org/techniques/T1550) T1204 User Execution mitre_t1204_user_execution (https://attack.mitre.org/techniques/T1204) T1078 Valid Accounts mitre_t1078_valid_accounts (https://attack.mitre.org/techniques/T1078) T1125 Video Capture mitre_t1125_video_capture (https://attack.mitre.org/techniques/T1125) T1497 Virtualization/Sandbox Evasion mitre_t1497_virtualization_or_sandbox_evasion (https://attack.mitre.org/techniques/T1497) T1102 Web Service mitre_t1102_web_service (https://attack.mitre.org/techniques/T1102) T1100 Web Shell mitre_t1100_web_shell (https://attack.mitre.org/techniques/T1100) T1077 Windows Admin Shares mitre_t1077_win_admin_shares (https://attack.mitre.org/techniques/T1077) T1047 Windows Management Instrumentation mitre_t1047_win_mgmt_instru (https://attack.mitre.org/techniques/T1047) T1084 Windows Management Instrumentation Event Subscription mitre_t1084_mgmt_instru_evt_subscription (https://attack.mitre.org/techniques/T1084) T1028 Windows Remote Management mitre_t1028_win_remote_mgmt (https://attack.mitre.org/techniques/T1028) T1004 Winlogon Helper DLL mitre_t1004_winlogon_helper_dll (https://attack.mitre.org/techniques/T1004) T1220 XSL Script Processing mitre_t1220_xsl_script_processing (https://attack.mitre.org/techniques/T1220)
- 47. Live Query With Live Query, you can ask questions of endpoints and quickly identify areas for improved security and IT hygiene. You can run recommended queries created by Carbon Black security experts or craft your own SQL queries. Live Query is powered by Osquery (https://osquery.io/), an open source project that uses an SQLite interface. Access is dependent on user role authorization. See the supported operating systems and sensors you can use with Live Query. Live Query overview: Run a recommended query Create a SQL query View query results Remediate with Live Response
- 48. Live Query With Live Query, you can ask questions of endpoints and quickly identify areas for improved security and IT hygiene. You can run recommended queries created by Carbon Black security experts or craft your own SQL queries. Live Query is powered by osquery (https://osquery.io/), an open source project that uses an SQLite interface. Access is dependent on user role authorization. See the supported operating systems and sensors you can use with Live Query. Live Query overview: Run a recommended query Create a SQL query View query results Remediate with Live Response Recommended queries Queries recommended by Carbon Black security experts are listed by category. A description is included along with the recommended run frequency. Click the + icon to see the full SQL. To get started: 1. View recommended queries by selecting a category. 2. Use the search and OS lter to further re ne the list. 3. Choose whether to be noti ed when a query is completed. 4. Select a policy or endpoints. The default selection is all endpoints. 5. Click Schedule to schedule a query to run daily, weekly, or monthly. 6. Click Run to start a one-time query. View the query status and results on the Query Results page. SQL Query If you're familiar with SQL, click the SQL Query tab to create more granular queries. For assistance writing valid SQL, view Intro to SQL (https://osquery.readthedocs.io/en/stable/introduction/sql/), osquery Tables (https://osquery.io/schema/3.3.0) or visit the Query Exchange (https://community.carbonblack.com/t5/CB- LiveOps-Knowledge/The-Query-Hub/ta-p/67631) for queries from Carbon Black security experts and other Live Query users. To get started: 1. Name your query. 2. Select a policy or endpoints. The default selection is all endpoints. 3. Type or paste your SQL query into the text box. 4. Select Schedule query to schedule a query to run daily, weekly, or monthly. 5. Select Email me a summary of query results to be noti ed with results when a query is completed.
- 49. 6. Click Run to start the query. View the query status and results on the Query Results page. Supported Operating Systems Live Query currently supports the following 64-bit operating systems: Windows 7+ macOS 10.10+ RHEL/CentOS 6+ Ubuntu 16+ SUSE 12+ AWS Linux 2+ For a complete list of supported Linux distributions, see the User Exchange (https://community.carbonblack.com/t5/CB-LiveOps-Knowledge/Getting-Started-Live-Query/ta-p/44147). The 3.4+ sensor is required for Windows, the 3.3+ sensor for macOS, and the 2.3+ sensor for Linux.
- 50. Query Results Query results are available when devices start to respond. The wait time for results depends on the query type and complexity, if devices are online, and the last time each sensor checked in. Queries run for up to 7 days, unless scheduled to run more frequently. Results are available for 30 days. Queries are grouped by One-Time and Scheduled queries. One-Time Queries One-time queries display the query start-time, query name, devices responded, user who ran the query, and query status. Click the symbol next to the query name for more details. In the Actions column, click the dropdown arrow to Stop (if applicable), Rerun, Duplicate, or Delete a query. Scheduled Queries Scheduled queries display the last run time/date, query name, policy/endpoints, frequency, and run time. Click the symbol next to the query name for more details. In the Actions column, click the dropdown arrow to Edit, Stop schedule, or Delete a query. Click the caret to the left of the query name to view scheduled queries that are still running or completed. Each query displays the query start-time, devices responded, and status. In the Actions column, click the Stop button (if applicable) to stop a query or the X icon to delete the query. View results To view the results of a query, click the hyperlinked query name. Click the icon next to the query name for more details about the query, including the targeted policies, endpoints, and the full query SQL. You can view results from either the Results or Devices view. In each view, click the Take Action button to Stop (if applicable), Rerun, Duplicate, or Delete a query. In the Results view, you will see if devices have responded to your query. The Response and Device lters are always present. Other lters are generated based on your query. Click Export to download the data as a CSV le. In the Devices view, you will see the status of your query on each device. The Status, Device, and Time columns are always present. Other columns are generated based on your query. Live Response In the Results view, you can access Live Response to directly remediate threats by remotely accessing a user’s machine. Click the Live Response symbol >_ to the right of each device name to get started. If the icon is grayed out, the device is not connected to the network and cannot be accessed by Live Response.
- 51. Policies Overview Policies are a group of rules that determine preventative behavior. Each endpoint sensor, or sensor group, is assigned to a policy. Manage Policies Add, edit, and copy policies About built-in policies About ransomware Policy Rules and Settings Create prevention policy rules Create AV exclusion rules Linux prevention capabilities General policy settings Local scan settings Enable background scan Windows background scan le types macOS background scan le types Enable WSC integration
- 52. Add, edit, and copy policies Use the general policy settings and local scan settings tables to better understand the policy options available. To add a new policy 1. Click New Policy. 2. Enter General information about the policy. 3. Click the Prevention, Local Scan, and Sensor tabs and con gure the policy settings. Click Add. To edit policy settings 1. Select a policy and modify its con guration as needed. 2. Click Save. To copy a policy 1. Select a policy. 2. Open Blocking and Isolation and click the copy icon below the rule. 3. Click All Policies to copy the rule to all policies, or click Select Policies to search for and select speci c policies. You can select multiple policies, one at a time. 4. Click Copy. You will receive a con rmation message that the policies are updated. Note: If the rule you are copying con icts with any rules in a destination policy, a modal will let you manage the rule con icts. You can replace or skip a speci c rule, or you can replace or skip all con icting rules at once by selecting the Apply selection to all con icts checkbox.
- 53. About built-in policies Built-in Carbon Black Cloud policies are devised as templates for common use cases. You can assign sensors to these policies, change the policy settings, or duplicate the settings to create a new policy. Built-in policies cannot be deleted. Standard policy Blocks known and suspected malware and prevents risky operations like memory scraping and code injections. Newly deployed sensors are assigned this policy by default. It is the recommended starting point for new deployments. Tip: Review and re ne the Standard policy rules to avoid unnecessary blocks or false positives that are triggered by in-house or custom software applications, which may have reputations that the Carbon Black Cloud does not recognize. Monitored policy Monitors endpoint application activity and logs events to the Dashboard. This policy has no preventive capabilities. Tip: Use the data that this policy provides to evaluate policy rule implementation needs. Advanced policy Extends the capabilities of the Standard policy by blocking operations from system utilizing, and preventing riskier behaviors that are more likely to be false positives. Tip: Use a phased roll-out approach to implement any new or Advanced policy rules. We recommend assigning Advanced policies to a group of pilot endpoints, and watching for false positives or blocks on legitimate software before rolling them out to more endpoints.
- 54. About ransomware Ransomware policy rules We recommend that rules for suspected malware, PUP, not-listed, and unknown reputations be added to your policies for protection against ransomware. To set a ransomware policy rule 1. Click the policy to edit. 2. In either Permissions or Blocking and Isolation, select Add Application Path, enter the application path, and then select Performs ransomware-like behavior. 3. Click Con rm, then click Save. Note: The only available action for Performs ransomware-like behavior is Terminate process. This is because denying ransomware access to the rst le that an application tries to encrypt would not prevent it from attempting future encryption operations. About ransomware The most secure ransomware policy is a default deny posture that prevents all applications except those that are speci cally approved from performing ransomware-like behavior. This policy requires tuning to handle false positives that are generated by applications whose legitimate activity mimics ransomware operations. The advantage of the default deny policy is protection from ransomware behaviors that originated from compromised applications that have a higher reputation (such as TRUSTED_WHITE_LIST), without listing all possible applications. You should extensively test default deny policies on a single host before you apply the policy rules to production systems. After you have addressed false positives, perform a gradual rollout. Leave a few days between adding each group of endpoints, to address any new false positives. If good software is being terminated by ransomware-like behavior rules, approve the application. Microsoft PowerShell and Python are popular targets for Windows and OSX, but any command interpreter that can receive code as part of its command line is a potential source of malicious activity. For stronger protection, consider including path-based rules for script interpreters. Note: Custom policies supersede objects/hashes added to the company approved or banned lists.
- 55. General policy settings Con gure your policy settings to take certain preventative actions. Use the local scan settings to con gure associated local scanner settings for the selected policy.
- 56. Item Description Allow user to disable protection If selected, the Carbon Black Cloud sensor is displayed with a Protection on/o toggle, which lets the end user place the sensor in bypass mode.This option is grayed out unless you enable Show Sensor UI: Detail message. The Protection toggle only displays on single-user operating systems. The Protection toggle does not display on terminal servers. This setting applies to version 2.x and later sensors only. The users' ability to disable protection cannot be removed from 1.0.x sensors. Auto-delete known malware after... This option enables the Carbon Black Cloud to automatically delete known malware after a speci ed period of time. This setting applies to macOS sensor version 3.2.2 or later, or Windows sensor version 3.2.1 or later. Create MD5 hash Select this option to maintain MD5 hashes in logs. This option has no e ect on the security e cacy of the Carbon Black Cloud. Deselecting this option prevents the Carbon Black Cloud from logging MD5 hashes. For best performance, do not select this option. This setting applies to version 2.0 and later sensors only. 1.0 sensors always create MD5 hashes. Delay Execute for Cloud Scan This option speci es whether the Carbon Black Cloud delays the invocation of an executable until reputation information can be retrieved from the backend, if the local scan returns an inde nite result. This is a recommended setting. This setting applies to Windows version 2.0 and later sensors only. Enable Live Response Select this option to enable Live Response for this policy. This setting applies to version 3.0 and later sensors only. Enable private logging level Script les that have unknown reputations are uploaded unless this option is selected. This option also removes potentially sensitive details from the events that are uploaded. This includes: Redacting command-line arguments Obfuscating document le names Not resolving IP addresses to correlating domain names Policy Name A unique policy name. Policy Description The policy description. Require code to uninstall sensor Select this option to password-protect the action of uninstalling a sensor from an endpoint. If it is enabled, no user can uninstall a sensor that belongs to this policy without providing a deregistration code. This setting applies to version 3.1 and later sensors only. Run background scan If selected, the sensor will perform an initial, one-time inventory scan in the background to identify malware les that were pre- existing on the endpoint. Using this feature helps increase malware blocking e cacy for les that were pre-existing on the endpoint before the sensor installation. The standard background scan takes 3-5 days to complete (depending on number of les on the endpoint). It runs in low-priority mode to consume low system resources. This is the recommended scan. The expedited scan option takes 24 hours to complete, and is only recommended for testing and emergency incidents. System performance is a ected. Expedited scanning only applies to Windows sensors version 3.3 and later. The sensors invoke the background scan one time upon deployment. The current background scan state is logged to the NT Event Log or syslog together with the "BACKGROUND_SCAN" tag. Scan execute on network drives If selected, the sensor will scan les on network drives upon EXECUTE. This setting applies to version 2.0 and later sensors only. 1.0 sensors always scan network drives upon execute. Scan les on network drives If selected, the sensor will scan les on network drives upon READ. The default value for this setting is false. For best performance, deselect this setting.
- 57. Item Description Sensor UI: Detail message Select this option to show the sensor UI on the endpoint. You can enter a message that displays on the sensor pop-up dialog. Mail-to links are supported. You can enter HTML markup as part of the text used in the sensor UI. If an HTML hyperlink is entered, the protocol (such as HTTP) is used in the link. For example: "http://www.google.com" Submit unknown binaries for analysis Select this option to enable the upload of unknown binaries for Cloud Analysis by Carbon Black and a third-party. This setting applies to version 3.2 and later sensors only. Target Value The selected target value that is associated with this policy. Values are: Low, Medium, High, and Mission Critical. Use Windows Security Center Select this option to set the Carbon Black Cloud as the endpoints' antivirus protection software in conjunction with Windows Security Center. This setting applies to Windows version 2.10 and later sensors only.
- 58. Local scan settings Con gure local scan settings for a selected policy to enable the local scanner and control signature updates. Title Description Scanner Con g On-Access File Scan Mode: Disabled - No scanning of les occurs. Normal - Scans new les (exes, dlls, scripts) on the rst execute of that le (determined by hash). Aggressive - Scans all les on execute. The assigned reputation and policy rules apply. Signature Updates Allow Signature Updates: Enabled - Enables signature updates for the scanner. Disabled - Disables signature updates for the scanner. Frequency - Select how often the sensor checks in for signature pack updates using the speci ed update server. Staggered Update Randomization Window - Set a random window for staggered updates. Update Servers for Internal Devices Lets you add update servers for internal devices. You can use the default mirror infrastructure (http://updates.cdc.carbonblack.io/update) or use the provided eld to enter your own mirror device URL. Update Servers for O site Devices Lets you update servers for o site devices. You can use the default mirror infrastructure (http://updates.cdc.carbonblack.io/update) or use the provided eld to enter your own mirror device URL.
- 59. Create prevention policy rules Permission rules Blocking and Isolation rules USB device blocking Upload paths Using wildcards in paths Permission rules Use permission rules to allow and log behavior, or to have the Carbon Black Cloud bypass a path entirely. Create permissions rules to set up exclusions for other AV/security products or to remove impediments for software developers' workstations. To create or edit a permissions rule 1. Select a policy, then click the Prevention tab and open Permissions. 2. Click Add application path, or click the pencil icon next to an existing rule to edit it. 3. Type the application path in the text box. You can add multiple paths, delete paths or use wildcards. When adding multiple paths, each path must start on a new line. Do not separate with commas. You can delete a rule by clicking the trash can icon. 4. Select the desired Operation Attempt and Action attributes, click Con rm, then Save. Tips: You can copy a rule from one policy to another policy, or to all policies. Operating system environmental variables can be used as part of a policy rule in a path. For example: %WINDIR% . Blocking and Isolation rules To create or edit a blocking and isolation rule 1. Click a policy, then click the Prevention tab and open Blocking and Isolation. 2. Click Add application path, or click the pencil icon next to an existing rule to edit it. If you are adding an application path, use wildcards to create exible policy rules. You can add multiple paths separated by commas. You can delete a rule by clicking the trash can icon. 3. Select the desired Operation Attempt and Action attributes, then click Con rm. If you set the action to Terminate process, you cannot concurrently deny the operation. Click Save. USB device blocking To block access to all unapproved USB devices: 1. On the Policies page, click the Prevention tab, and open USB Device Blocking. 2. Turn on blocking by selecting Block access to all unapproved USB devices. 3. Copy the same setting to all policies or a speci c policy by clicking Copy setting to other policies.
- 60. Note: USB device blocking is only available for Windows sensors 3.6+. Upload paths To deny or allow an upload path 1. Click a policy, then click the Prevention tab and open Uploads at the bottom of the page. 2. Type the application path into one of the text boxes: No Upload to deny the sensor from sending uploads from the path Upload to allow the sensor to send uploads from the path You can add multiple paths (each path must start on a new line), use wildcards, or delete paths. Do not separate with commas. 3. Click Save. Using wildcards in paths When adding a path, you can use wildcards to target certain les or directories. Wildcard Description Example * Matches 0 or more consecutive characters up to a single subdirectory level. C:program lescustom application.exe Matches any executable les in: c:program lescustom application c:program les(x86)custom application ** Matches a partial path across all subdirectory levels and is recursive. C:Python27Libsite-packages** Matches any les in that directory and all subdirectories. ? Matches 0 or 1 character in that position. C:Program FilesMicrosoft Visual Studio 1?.0** Matches any les in the MS Visual Studio version 1 or versions 10-19.
- 61. Create AV exclusion rules Other AV products used in your organization will require custom rules to be permitted to run as usual. 1. On the Policies page, select the Prevention tab, then open Permissions. 2. Select the policy to update, then click Add application path. 3. Enter the AV's recommended le/folder exclusions from the security vendor. 4. Set the operation attempt Performs any operation to Bypass. 5. Click Con rm, then Save. If you also use other security products, use the following to create exclusions for the Carbon Black Cloud Endpoint Standard (formerly Defense) sensor: Endpoint Standard on Windows: C:Program FilesConfer C:ProgramDataCarbonBlack C:WindowsSystem32driversctifile.sys C:WindowsSystem32driversctinet.sys Endpoint Standard on macOS: /Applications/Confer.app/ Endpoint Standard on Linux platforms: /var/opt/carbonblack/ /opt/carbonblack/ Note: Some security vendors may require a trailing asterisk (*) to signify all directory contents.
- 62. Linux prevention capabilities The Linux 2.7.0 sensor now supports essential, malware prevention capabilities for RHEL and CentOS 6/7. See Supported Linux Distributions (https://community.carbonblack.com/t5/Documentation- Downloads/Carbon-Black-Cloud-sensor-Linux-sensor-support/tac-p/76214#M2251). Blocking and Isolation rules for Linux Linux 2.7.0 sensor supported prevention capabilities are indicated by the Linux icon on the Prevention tab. Only the Runs or is running operation attempt is actionable on Linux endpoints for these rules. If a policy includes other selections which are not available for Linux, those selections will only apply to the Windows or macOS endpoints assigned to the policy. Known malware When selected for the policy, the Linux sensor will apply either a Deny operation or Terminate process policy action, as selected, when a process runs or is running with the reputation of KNOWN_MALWARE. Application on the company banned list When selected for the policy, the Linux sensor will apply either a Deny operation or Terminate process policy action, as selected, when a process runs or is running with the reputation of COMPANY_BLACK_LIST. Hashes can be added to the company banned list manually on the Reputation page, or throughout the console when the option is provided. Note: Linux sensor v2.7.0 also supports adding hashes to the company approved list. This can be done manually on the Reputation page, or throughout the console when the option is provided.
- 63. Enable background scan Background scan is enabled per policy. The background scan runs after initial install according to policy setting. To enable background scan 1. Click a policy. On the Sensor tab, select the Run background scan box. 2. Click Save. 3. The sensor will perform an initial, one-time inventory scan in the background to identify malware les that were pre-existing on the endpoint. About background scans Standard background scans take 3-5 days to complete and run in low-priority mode to consume low system resources. Expedited scans takes 24 hours to complete and are only recommended for testing and emergency incidents as system performance is a ected. Expedited scanning only applies to Windows sensors version 3.3+. See a list of Windows background scan le types and MacOS background scan le types to identify which types of les will be scanned by the sensor. Note: The current background scan state is logged to the NT Event Log or syslog together with the "BACKGROUND_SCAN" tag. RepMgr logs status on each start and then every 24 hours. Scan completed status message is “BACKGROUND_SCAN: COMPLETE.”
- 64. MacOS background scan le types The macOS sensor relies on both le magic header detection and le extensions to determine le types to be scanned by the background scan. Magic header detection is used when a le has no extension or an arbitrary (obfuscated) extension. Binary les Data les Installer les Script les Windows script les by extension only Binary les Apple executables Apple driver extensions Apple dynamic libraries Windows executables Windows dynamic libraries Data les Adobe PDF MS O ce Open O ce Installer les Apple installers ( DMG, PKG) by extension only: Windows MSI les, Android APK installers Script les java (class and jar) Perl Python PHP Ruby Shell Applescript Any other script les with "#!" le header indicating interpreter association Windows script les by extension only bat chm
- 66. Windows background scan le types The following le types are scanned during a background scan on Windows endpoints. Binary les Calendar les Contacts les Corp les Data les Email les Script les User les Binary les dll exe sys drv scr pif ex_ Calendar les ics icbu cal ical wcd dba Contacts les wab pab mab contact mml vcf aba na2
- 67. ldif abbu aby olk Corp les pdf pps ppsm ppsx ppt pptm pptx rtf swf xls xlsx xlsm (not yet added) xlsb (not yet added) dme frm ldf mdb mdf myd myi ndf opt Data les pdf Email les dbx mbx ost pst snm toc
- 69. Enable WSC integration Windows Security Center integration Windows Security Center (WSC) requires Windows devices to have an antivirus provider. The Carbon Black Cloud is a Microsoft-certi ed antivirus provider for WSC. You can integrate the Carbon Black Cloud with WSC and designate the Carbon Black Cloud as your antivirus provider on devices that are running Windows 7 or later operating systems. You must be using a Carbon Black Cloud sensor version 2.1.0.11+. When enabled, the Carbon Black Cloud is listed as the antivirus provider on the device. Enable WSC integration The WSC integration is enabled by default via the Use Windows Security Center policy setting on the Standard, Monitored, and Advanced built-in policies. When creating custom policies, you can manually enable the WSC integration if it is not pre-selected. 1. Click Enforce, then Policies. 2. Click the policy name in the policy list on which you want to enable WSC. 3. On the Sensor tab, select the checkbox for Use Windows Security Center, then click Save. All sensors in the selected policy will be integrated with WSC. Disable WSC integration 1. Click Enforce, then Policies. 2. Click the policy name in the policy list on which you want to disable WSC. 3. Deselect the checkbox for Use Windows Security Center, then click Save. All sensors in the selected policy will no longer be integrated with WSC. Note: End users can disable or enable the WSC integration on their device through Security and Maintenance in the Control Panel.
- 70. Manage reputations A reputation is the level of trust or distrust that is given to an application. Carbon Black reputations are based on multiple sources of known good and known bad reputations. Assign reputations Approve IT tools and certs Reputation reference Important: VMware Carbon Black is replacing the terms blacklist and whitelist with banned list and approved list. Notice will be provided in advance of terminology updates to APIs, TTPs, and Reputations.
- 71. Assign reputations Assign a reputation to an application to identify its level of trust or distrust. To assign reputations by hash 1. Click Add and select Hash as the type. 2. Select Approved List or Banned List, as appropriate. You can also con gure an automatic banned list. 3. Enter the required data, then click Save. To manage reputations for multiple applications by adding hash 1. Click Upload. 2. Expand File Format to see the .csv le format that is allowed. 3. Click Select to browse to the .csv le, then click Upload. Note: MD5 is not supported. The hash must be in SHA-256 format and requires six or more elds. If a eld is empty, use the following format where empty elds are denoted by commas: Field1, Field2, Field4, Field6 The required elds must be in the following order: list type, indicator type, indicator value, description, application name Where list type is either banned list or approved list indicator type = indicator sha256 indicator value = actual le hash (sha256 format) description = text to describe this entry application name = optional Con gure an automatic banned list You can automatically ban applications that have a threat severity that is equal to or greater than a speci ed threshold. 1. Click Auto Banned List. 2. Set the threshold for the threat level. Anything equal or greater than the de ned threat level is added to the banned list. 3. Click Save. Note: You can also ban or approve applications on the Investigate or Malware Removal pages.
- 72. Reputation reference A reputation is the level of trust or distrust that is given to an application. Important: VMware Carbon Black is replacing the terms blacklist and whitelist with banned list and approved list. Notice will be provided in advance of terminology updates to APIs, TTPs, and Reputations. Value De nition ADAPTIVE_WHITE_LIST (Adaptive approved list) After analysis, the hash reputation is deemed inconclusively trustworthy. It is not fully vetted and needs additional information to be fully deemed trusted across all organizations. COMPANY_BLACK_LIST (Company banned list) Malicious or unwarranted behavior; the customer manually added a hash to the banned list. Speci c to a selected organization. COMMON_WHITE_LIST (Common approved list) After analysis, the hash reputation is deemed trusted across all organizations. COMPANY_WHITE_LIST (Company approved list) A console administrator has explicitly approved this application or hash. KNOWN_MALWARE (Known malware) Reputation is determined from analytics and intelligence feeds; the hash is Known Malware. NOT_LISTED (Not Listed) The sensor requested reputation from the backend, but the backend does not have the hash on any internal lists. Typically this means the hash is new. No information is available to determine the reputation from analytics and intelligence feeds. This reputation helps protect against zero-day malware and is frequently assigned to new hashes/updated applications. PUP (Potentially Unwanted Program) Reputation is determined from analytics and intelligence feeds; the application or hash is a PUP such as adware or popups. SUSPECT_MALWARE (Suspect Malware) Reputation is determined from analytics and intelligence feeds; the application or hash is Suspect Malware. TRUSTED_WHITE_LIST (Trusted approved list) Reputation is determined from analytics and intelligence feeds; the hash is Known Good as determined by the Carbon Black Cloud and/or the Carbon Black Cloud Sensor. UNKNOWN The sensor has not yet sent the reputation request. Typically this means that the sensor cannot reach the backend.
- 73. About adding to approved list Adding to the approved list approves the presence and actions of speci ed applications. Adding to the approvd list is "global" in its e ects and applies to all policies attached to a particular version of an application. To approve the presence and actions of an application only on a speci c device, use permission rules instead. Tip: Routinely update your approved applications to account for new versions. Permission rules do not need to be updated as the permission is added by path or application name. Bene ts of approving IT tools and certs Minimized performance impact when IT tools drop large amounts of new code that are immediately executed. For IT tools, no interference with new code execution. The dropped code is not blocked, even with stricter preventative policy rules in place. For certs, no blocking on initial execution of les signed with speci c certi cates. Adding to the approved list is not absolute in order to prevent exploitation. Deferred analysis of new code occurs in the background as it executes. If les are known malware, con gured policy enforcement rules act on them after initial execution. Tip: Use adding to the approved list for use cases such as: software deployment tools, executable installers, IDEs, compilers, or script editors, etc. Reputations that supersede approved IT tools and certi cates: Company Black Company White Known Malware PUP Malware Suspect Malware Trusted White Using wildcards When adding the path, you can use wildcards to target certain les or directories. Be as speci c as possible when approving certs as using wildcards can lead to incidentally approving malicious software that appears to be signed by a trusted certi cate authority.
- 74. Wildcard Description Example * Matches 0 or more consecutive characters up to a single subdirectory level. C:program lescustom application.exe Approves any executable les in: c:program lescustom application c:program les(x86)custom application ** Matches a partial path across all subdirectory levels and is recursive. C:Python27Libsite-packages** Approves any les in that directory and all subdirectories. ? Matches 0 or 1 character in that position. C:Program FilesMicrosoft Visual Studio 1?.0** Approves any les in the MS Visual Studio version 1 or versions 10-19.
- 75. Approve IT tools and certi cates Approve IT tools Approve certs Adding a speci c application to your company approved list can help eliminate unwanted alerts or lower the relative threat level for such alerts. Learn more about adding to approved list, when to use it, and how it di ers from permission rules. Approve IT tools Approve IT tools to assign an initial elevated trust to code that is dropped by known IT tools. To approve IT tools 1. Click Add and select IT Tools as the type. 2. Add the path of the IT tool that drops code, should receive initial trust, and is allowed. (Example: Trusted_Installer.exe .) 3. Select Include all child processes. If selected, les dropped by child processes of the IT tool that is de ned in the Path eld also receive the initial trust. This is useful when IT tools create a child process to delegate work to, and the child process represents a generic executable, such as a copy command. 4. Enter a Comment, then click Add. Approve certs Approve certs to assign an initial elevated trust to signed code by speci c trusted certi cates. To use this functionality, a le must be signed and veri ed by a valid certi cate and the certi cate subject and authority must be con gured in the Cert rule. To approve certi cates 1. Click Add and select Certs as the type. 2. Enter the certi cate under Signed by. 3. Enter the Certi cate Authority and a Comment, then click Save. Note: Certs added to the approved list are assigned the LOCAL_WHITE reputation and are not stalled for static analysis or cloud reputation as they are executed.
- 76. Malware removal Use the reputation of an application to identify malware. Look for applications with the KNOWN_MALWARE, SUSPECT_MALWARE, or PUP reputations. All historical malware data from the past six months displays on the Malware Removal page under the Detected or Deleted tabs. When an item is added to the company approved list, company banned list, or its reputation is overridden, the item will be removed from the Malware Removal page. Detected malware Malware can exist on an endpoint even if the malware is prevented from running. This tab displays all les scanned and classi ed as KNOWN_MALWARE. Search for speci c malware by hash or lename using the Search box. If you are unable to nd the hash on this page, you can delete the le by searching for the hash on the Investigate page and clicking the Take Action button on the appropriate event. Auto-delete known malware Enable a policy to automatically delete known malware within a speci ed time frame. To auto-delete known malware: 1. Click Enforce, then Policies. 2. Select a policy. On the Sensor tab, click the box for Auto-delete known malware hashes after. 3. Select a time frame, then click Save. After the policy setting is enabled, all new, executable malware is deleted at the end of the selected time frame. Auto-delete does not delete les that are signed by Microsoft, Carbon Black les, or les that have had their hashes changed. Deleted malware After malware is deleted, it is removed from the Detected tab and moved to the Deleted tab. If you attempt to delete a le that has any reputation other than KNOWN_MALWARE, you must con rm the deletion twice. All deleted malware les are permanent and cannot be restored. Use the audit log to see deleted malware, malware scheduled for deletion, and admin actions. Search the Audit Log for the hash you requested deletion of to see other events associated with the hash.
- 77. Cloud Analysis You can help improve security e cacy by enabling additional analysis of unknown binaries by a third-party partner. The local scanner must be turned on and you must be using sensor version 3.2 or above. To enable cloud analysis 1. Click Enforce, then Policies. 2. Select the policy for which to enable cloud binary analysis. 3. Select the checkbox for Submit unknown binaries for analysis. 4. Con rm that you are opting in to share data with Carbon Black and a third party, then click Save. Important: If you opt in to this functionality, the binary les (including the content of the les) are uploaded to Carbon Black for analysis. Carbon Black uses a third-party vendor, Avira Operations GmbH & Co. KG ("Avira"), as a sub-processor to assist with the threat analysis. The binary les are sent to Avira’s network. Avira only processes the data to meet Carbon Black’s obligations under the applicable agreement and for no other purpose. Avira has implemented appropriate security and operational methods that are designed to secure the data, and will comply with all applicable data privacy laws when processing the data. The information will be processed by Avira in their US or EU data centers. In the course of using the services, you shall have sole responsibility for the accuracy, quality, integrity, legality, reliability, appropriateness, and intellectual property ownership or right to use and transfer to Carbon Black all such data. You can view Carbon Black’s privacy policy at https://www.carbonblack.com/privacy-policy/ (https://www.carbonblack.com/privacy-policy/) (which is modi ed by Carbon Black from time to time).
- 78. Endpoints Overview A Carbon Black Cloud sensor is installed on every endpoint that the Carbon Black Cloud protects. The sensor communicates with Carbon Black analytics and the Carbon Black Cloud console. On the Endpoints tab, view the current status of your organization's endpoint sensors. On the Sensor Update Status tab, view the progress and results of updated sensors. Sensor Details, Sensor Groups, and Live Response Organize your sensors into groups and view the status and details of sensors. Sensor status and details Signature version status Create sensor groups Access and use Live Response to perform remote investigations and remediate threats. Use Live Response Live Response Commands Reference Sensor Management Install Sensors Install the Carbon Black Cloud sensor on the devices in your organization. Send a sensor installation request email Install sensors on the command line Update Sensors Update sensors to their newest versions to ensure you have access to the latest features and improvements. Update sensors in console Update sensors on the command line or using deployment tools View updates on Sensor Update Status tab Uninstall Sensors Uninstall sensors and require a code to uninstall sensors to prevent unwanted uninstalls and sensor tampering. Uninstall sensors in console Uninstall sensors on the command line Require code to uninstall sensors
- 79. Sensor statuses and details All deployed sensors are displayed in the table by default. Select a sensor group on the left to view only sensors in that particular group. View additional sensor information by clicking the > next to a sensor name. If a sensor is not a member of a sensor group, and was manually assigned a policy, it is listed as Manually assigned. If the sensor metadata does not match any group criteria, it is listed as Unassigned. Sensor status The Status column is used to indicate the state of a sensor's installation or activeness, as well as any admin actions taken on the sensor. As such, this column may contain multiple icons to indicate the state of a sensor. Installation/Active states Active: Sensors have checked in within the last 30 days Deregistered: Sensors have been deregistered or uninstalled; they will persist on the Endpoints page in this status until removed Eligible for update: Sensors can be updated to the most current, available sensor version Errors: Sensors are reporting errors Inactive: Sensors have not checked in within the last 30 days Pending: Sensors have not yet been installed following an installation request email sent to a user Admin action states Bypass: Sensors have been put into Bypass mode by an admin, all policy enforcement on the device is disabled and the sensor will not send data to the cloud; or, sensors momentarily enter Bypass mode during a sensor update Quarantine: Sensors have been put into Quarantine mode and are isolated from the network to mitigate spread of potentailly malicious activity User column The User column displays certain user data based on OS and sensor version: macOS 3.3.2+ versions display last active user logged in on the device Windows 3.5+ versions display the last active user logged in every 8 hours; if there is no interactive user logged in within the 8 hour window, you may get a non interactive user name such as “Windows ManagerDWM-2” All other previous macOS and Windows versions display the user who installed the sensor All Linux versions are intentionally left blank, as multiple, simulatenous logged-in users and desktop users are possible
- 80. View and update signature versions The status of each sensor signature version is displayed in the Sig column. This feature is not available for macOS or Linux sensors. Con gure local scan settings from the Local Scan tab on the Policies page to enable automatic updates for sensor signature versions. Local scan settings are only supported by Windows sensor versions 2.x+. Signature version status Circle: Signature version is currently in date. Sigs display as in date if the signature version installed is released within 7 days of the current date. Triangle: Signature version is out of date. Sigs display as out of date if the signature version installed has not been released within 7 days of the current date. Square: Signature version is not yet reported or unidenti able. Sigs may display as not yet reported if local scan is not con gured or if the sensor encountered an error after local scan was con gured, such as a connectivity issue.
- 81. Create sensor groups Create sensor groups to apply policy settings across several sensors at once. New endpoints in a sensor group will automatically be protected by the policy associated with that sensor group. New sensors are automatically assigned to a single policy based on the metadata that is associated with the sensor and the criteria that you de ne. If a sensor does not match the criteria of an existing sensor group, it will be automatically assigned to the Standard policy. Sensor groups and auto-assign are only available for Windows v3.1+, macOS v3.2+, and Linux v2.5+ sensor versions. To add a sensor group 1. Click Add Group. 2. Enter a unique name for the group and specify the criteria by which sensors are added to the group, then click Save. 3. Click Edit to reorder your list of sensor groups, as needed. Sensors that match multiple sensors groups based on criteria are added to the rst sensor group that displays on the page. Note: When setting subnet criteria for sensor groups, CIDR notation is not supported. To con gure auto-assign of policies to sensors 1. Search and select sensors. 2. Click Take Action, then Assign policy. 3. Select the new policy in the dropdown menu or turn auto-assignments of policies ON or OFF, then click Save. Note: Only sensors that match all of the criteria of a sensor group are added to that group; therefore, sensor group assignments are not permanent. If a sensor no longer meets a group's criteria, it will be moved to another group it matches or be assigned the Standard policy. You can change the match all criteria setting by clicking the dropdown menu for the relevant sensors and enabling an OR condition or changing the all setting to any.
- 82. Use Live Response Use Live Response to perform remote investigations, contain ongoing attacks, and remediate threats using a command line interface. Enable or disable Live Response Initiate a session End a session Live Response activity logging Live Response commands reference Enable or disable Live Response To use Live Response, users must be assigned a role with Live Response permissions in the Carbon Black Cloud. Live Response is available on endpoints running a version 3.0 or later sensor and which have been assigned a policy with Live Response enabled. To enable or disable Live Response by policy 1. Click Enforce, then Policies. 2. Select a policy group. 3. In the Sensor tab, select or deselect the Enable Live Response checkbox as applicable, then click Save. To disable Live Response by endpoint 1. Click Endpoints and select the sensors. 2. Click Take Action, then Disable Live Response, and con rm the action. Note: You can also disable Live Response during a command line sensor installation by using the DISABLE_LIVE_RESPONSE option. Initiate a Live Response session When you activate Live Response, you create and attach to a session. Up to 100 sessions can be running simultaneously, and multiple users can be attached to the same session. Each session is limited to 250 commands. Live Response can be used on devices in bypass mode or quarantine. To initiate a Live Response session 1. Click Endpoints and select the sensor. You can also initiate a Live Response session on the Alerts, Alert Triage, and Investigate pages. 2. In the Take Action column, click the >_ to start a Live Response session. On other pages, click the Take Action button to select the start a Live Response session option. 3. Click in the command window area and type the help command to view a list of available commands or use the Live Response commands reference. Type help commandname to get help about a speci c command.
- 83. Note: If more than one user submits a command through the session at approximately the same time, each command must nish executing before the next one can begin. One user can undo or otherwise modify what another user is doing. Live Response command window status indicator The command window is color-coded to denote a particular status and message. Green: The sensor is connected and a session is established. The host name for the endpoint displays. Yellow: The CB backend is waiting for the sensor to check in, or no endpoint is connected because no session is attached. Red: A session cannot be established with the sensor because the endpoint is o ine, the sensor is disabled, or the sensor version does not support Live Response. End a Live Response session You can leave or terminate a Live Response session. Click End my session to leave your session. Other users attached to the session will remain until the session is terminated. Enter command detach to leave your session. Other users attached to the session will remain until the session is terminated. Enter command detach -q to terminate the session. Any other users attached to the session will also be detached. By default, sessions timeout after ve minutes of inactivity. Live Response activity logging Live Response activity is logged on accessed sensors and the Carbon Black Cloud backend. Commands executed during a session for any accessed sensors are logged in the cblr.log le, located in the sensor installation folder on the endpoint.
- 84. Live Response commands Live Response supports the keyboard paste option. Use ctrl+v or cmd+v to paste into the terminal.
- 85. Command Description cd [dir] Change the current working directory. Options include absolute, relative, drive-speci c, and network share paths. clear Clear the console screen; you can also use the cls command for this purpose. delete [path] Delete the le speci ed in the path argument. The le is permanently deleted; it is not sent to the Recycle Bin. detach Detach from the current Live Response session. If a session has no attachments, it remains live until it times out ( ve minutes by default). The same action is performed by the End my session button. detach -q Terminate the current Live Response session. If a session has other users attached, these users will also be detached from the session. dir Return a list of les in the current directory. drives List the drives on the remote endpoint. This is for Windows only. exec [processpath] Execute a background process speci ed in the processpath argument on the current remote endpoint. By default, process execution returns immediately and output is to stdout and stderr. Options can be combined: exec -o output le processpath: Redirect the process output to the speci ed remote le, which you can download. exec -w processpath: Wait for the process to exit before returning. You can combine the options as shown in the following example to execute and capture the output from a script: exec -o c:output.txt -w c:scriptssome_script.cmd You must provide the full path to the process for the processpath argument. c:windowssystem32notepad.exe execfg Execute a process on the current remote endpoint and return stdout/stderr. execfg -o: Write temporary command output to remote le. Launch a process on the remote endpoint, wait for it to complete and return stdout/stderr. Use the -o to write stdout and stderr content to a speci c le before returning it to the Live Response session. get [path] Obtain the le that is speci ed in the path argument from the remote endpoint and download it to the local endpoint. help Show the Live Response session commands with a brief description of each. If a command name is added, show the description of the speci ed command, with additional details (such as options) if available. For example:help dir kill Terminate the speci ed process. memdump [ lepath] Take a full system memory dump and store it to the given le path, which must include a le name. Memory dumps can take several minutes, and an (*) icon in the Live Response window indicates that it is still in progress. This is for Windows only. mkdir Make a directory on the remote endpoint. ps or tasklist Obtain a list of processes from the remote endoint. Analysis information for a newly discovered process might not yet be fully committed to the Carbon Black Cloud database and therefore not viewable. put [remotepath] Put a le from the local endpoint onto the remote endpoint at the speci ed path. You specify the le in the Open dialog of the browser, after the command is entered in Live Response. pwd Print the current working directory.
- 86. Command Description reg View or modify Windows registry settings (Windows endpoints only). The syntax of this command is: reg [action] [key] [options]
- 87. Send sensor installation request email You can invite users to download a Carbon Black Cloud sensor by sending an installation request email. The installation code will expire after seven (7) days. This method is useful when you have a small number of sensors to install, or when software distribution tools are not available. Notes: This method is not available for Linux sensors; use command line installation instead. With the release of the Windows 3.6 sensor, you can supply either the installation code or the company code to install the sensor. Invite users to install sensors 1. Notify end users that they will receive an installation request email from noreply@carbonblack.com. See our sample email template below. 2. Click Sensor Options in the top right, then Send installation request. 3. Enter the end users’ email addresses, then click Send. End users must have administrative privileges on their own endpoint to install the sensor. 4. In the email, end users will click on the appropriate OS installer link to download the sensor. 5. When prompted during installation, end users will enter the Activation Code included in the email. This code expires in 7 days. Note: If a user's installation code has expired, you can select the sensor from the table, click Take Action, and then Send new installation code. Sample email template Hello, You'll receive an email from noreply@carbonblack.com inviting you to install a Carbon Black Cloud sensor on your endpoint device. If you don’t see this email, please check your junk folder. Click on the appropriate installer link for your operating system to install the sensor. If you're using a Windows OS, we recommend that you select the [32/64] bit option. During installation, you’ll be asked to input the Activation Code included in the email. We recommend that you copy and paste this code into a plain text editor, then copy and paste it into the installer. The code will expire in one week.
- 88. Update selected sensors in console Update sensors on selected endpoints through the Carbon Black Cloud console. After initiating updates to sensors, you can view the progress of the updates on the Sensor Update Status tab on the Endpoints page. Alernative update methods: 1. Update a sensor by double-clicking the new installer package, by issuing a command on the command line, or by pushing the command line script through a tool like SCCM. Standard command line options are applicable. Note that the command line options from the rst install persist across upgrades. See Update sensors on command line. 2. Reinstall sensors using either installation method: Send an installation request email via the console Install sensors on command line Important: If you are upgrading to the Windows 3.6 sensor, see Con gure a rewall. Updating sensors You can select up to 10,000 sensors to update at one time. After you initiate sensor updates, the selected sensors receive the message to update the next time they check in with the Carbon Black Cloud backend. The system allows up to 200 concurrent updates. When an individual sensor completes its update process, a new sensor is signaled to start its update. To update selected endpoints 1. On the Endpoints page, select the box next to the sensor(s) you want to update. 2. Click Take Action, then Update Sensors. 3. Con rm the number of sensors you wish to update. 4. Select the desired sensor version from the Version dropdown menu associated with the endpoints' operating systems. 5. Select the checkbox to acknowledge that devices might be rebooted, then click Update.
- 89. View status of sensor updates After initiating sensor updates, view the progress of your updates on this tab. You can select up to 10,000 sensors to update at one time. After you initiate sensor updates, the selected sensors receive the message to update the next time they check in with the Carbon Black Cloud backend. Up to 200 sensor update entries will appear on the page. View the Audit Log for a record of all sensor updates. View progress of sensor updates View results of sensor updates To initiate sensor updates, use any of the following methods: 1. Update sensors on selected endpoints through the Carbon Black Cloud console. See Update sensors in console. 2. Reinstall sensors using either installation method: Send an installation request email via the console Install sensors on command line 3. Update a sensor by double-clicking the new installer package, by issuing a command on the command line, or by pushing the command line script through a tool like SCCM. Standard command line options are applicable. Note that the command line options from the rst install persist across upgrades. See Update sensors on command line. View progress of sensor updates Sensor updates are prioritized rst by the size of the request, from smallest to largest number of sensors, and then by the date of the request, from oldest to newest. This means that update requests with a lower total number of sensors will take priority over requests with a larger total number of sensors. The system allows up to 500 individual sensors to concurrently begin the update process. Each individual sensor that is hinted to begin its update process is counted as part of the 500 limit. When an individual sensor completes its update process sucessfully, or returns an error, a new sensor is hinted to start its update process. To stop a processing or pending update request, click the Stop icon in the Actions column. Note: The completion of large update requests may be delayed if subsequent, smaller requests follow. Of the 500 concurrent sensors available to update at a time, sensors from smaller requests are given priority for update over sensors from larger, processing requests. Sensor Update Statuses The progress of a sensor update is indicated by the Status column, along with an accompanying progress bar. Pending: Update has been requested but has not begun to process; corresponds with the Requested column timestamp Processing: Update is currently in progress; updates will automatically time out after two weeks
- 90. Completed: All sensors in the update have either succeeded or failed; corresponds with the Completed column timestamp Stopped: Update has been cancelled; stopped updates cannot be restarted, a new update must be made Note: Processing updates will automatically time out after two weeks. Time outs will occur even if the sensor has been hinted for an update, but the sensor has not successfully completed the update. Typically, sensors that have not updated due to a time out will show the "Sensor unresponsive" error, indicating the sensor could not be reached for update within the two week period. View results of sensor updates Once an update begins to process, the number of successful or failed sensor updates will begin to populate in the table in the Updated and Errors columns. When completed, the sum of successful updates and any failed updates will match the initial number of sensors requested for update in the Sensors column. View Updated Sensors Click the hyperlinked number of successfully updated sensors in the Updated column to view the update sensors on the Endpoints tab. A hyperlink will only appear if an update request is either "Completed" or "Stopped" and if the number of updated sensors is fewer than 500. Export Results In the Actions column, click the Export icon to download a CSV le of any "Completed" or "Stopped" update request. Use the CSV le to view the full results of updates, including updates with greater than 500 sensors. The le contains useful information about your updates, including the Device IDs of all requested sensors, their initial and updated sensor versions, and the reason for any update failure. View Failed Sensors and Errors Click the hyperlinked number of failed sensors in the Errors column to view the failed sensors on the Endpoints tab. A hyperlink will only appear if an update request is either "Completed" or "Stopped" and if the number of failed sensors is fewer than 500. If an update contains failures, click the caret on the left of the row in the table to view a summary of failure reasons. Sensors may fail due to: Sensor unresponsive: The sensor was o ine or failed to check in with the system during the timeframe of the update No sensor found: The sensor could not be found. This is mostly likely due to a sensor having been deregistered Update stopped by user: The update request was stopped by a user in the console before the sensor could update Update error: The sensor failed to upgrade to the targeted version
- 91. Column Description Requested The date and time of the initial update request. Completed The date and time of the nished update; an update can show in this status even if it contains both successful and failed sensor updates. Status The progress of a sensor update. The status of an update can be: Pending, Processing, Completed, or Stopped. Sensors The total number of sensors requested for update. Updated The number of successfully updated sensors; this number will change as more sensors are successfully updated, until the update has completed or been stopped. Errors The number of sensors that have failed to update; this number will change as more sensors fail to update, until the request has completed or been stopped. Actions Click the Stop icon to stop a processing or pending request. When updates are completed or stopped, click the Export icon to download a CSV le to view the full results of the update request.
- 92. Uninstall sensors Uninstalled sensors will persist on the Endpoints page in the Carbon Black Cloud as a deregistered device until manually or automatically removed. You can restrict the action of uninstalling sensors by requiring a unique, randomly-generated code. You can also uninstall sensors using the command line. To uninstall sensors from the Endpoints page 1. Search for and select the sensors to uninstall. 2. Select the checkbox in the table header to select all displayed devices, or select individual devices in the displayed list. 3. Click Take Action, then Uninstall. To remove deregistered devices 1. Filter the list of sensors to show only deregistered sensors, then select the sensors to delete. 2. Click Take Action, then Delete deregistered devices. 3. Automatically remove deregistered devices by clicking Sensor Options, Sensor settings, then Auto- delete registered sensors. Set the speci ed time frame, then click Save.
- 93. Require uninstall sensor code We recommend requiring a randomly-generated code to restrict uninstalling sensors. To prevent unwanted uninstalls and malware from tampering with sensor connectivity, enable this setting for each policy. Note: You must have v3.1+ sensors to enable this setting. To require a code to uninstall a sensor at the endpoint 1. Click Enforce, then Policies. 2. Select the policy, click the Sensor tab, click Require code to uninstall sensor, then Save. 3. View the uninstall sensor code by clicking the > next to the sensor. The uninstall code displays below the sensor data. You can also generate a company deregistration code to uninstall any sensor in your organization. To generate a company deregistration code 1. Click Endpoints, Sensor Options, then Company codes. 2. Under Deregistration Code, click Generate New Code. Note: Only macOS and Windows sensors can be uninstalled with a company deregistration code. Uninstall Linux sensors by using the command line. Warning: The company deregistration code can be used to uninstall all sensors in your organization. If you do not want a single code that can be used across your organization, do not generate the company deregistration code.
- 94. Workspace ONE Visit VMware Docs - VMware Workspace ONE UEM (https://docs.vmware.com/en/VMware-Workspace-ONE- UEM/index.html) for comprehensive documentation about con guration and set up. Con gure Workspace ONE Sensor Kit 1. In the Carbon Black Cloud console, click Endpoints in the left navigation bar. 2. Click Sensor Options, then Con gure Workspace ONE sensor kit. 3. Select the sensors for the operating systems you are con guring with Workspace ONE. 4. Click Upload File to select and upload a con guration le in .ini format to specify how sensors will operate on endpoints. 5. Click Generate URL. See Enroll through Command Line Staging (https://docs.vmware.com/en/VMware-Workspace-ONE- UEM/services/Windows_Desktop_Device_Management/GUID-AWT-ENROLL-STAGECOMMAND.html) and Silent Enrollment Parameters and Values (https://docs.vmware.com/en/VMware-Workspace-ONE- UEM/services/Windows_Desktop_Device_Management/GUID-AWT-ENROLL-SILENTCOMMANDSWD.html) for additional information.
- 95. USB Devices Gain visibility and control over USB devices detected in your environment. Review USB devices, create approvals for trusted devices, and manage approvals. Approvals are global and blocking is enabled by policy. First approve USB devices and then block access to all unapproved devices on the Policies page. This ensures that any device that has not been approved by you will be blocked. Approve USB devices Block USB devices Monitor USB device alerts Approve USB devices View all detected USB devices on the USB Devices tab. Review when the device was rst and last seen, its approval status, the last endpoint it was seen on, the policy associated with the last endpoint, and the number policies with blocking on or o . You can approve devices on the USB Devices tab as well as the Approvals tab. On the USB Devices tab, you can approve either multiple detected devices or a single device. On the Approvals tab, you can upload a CSV le to add multiple devices, create approvals for vendors and products, or approve a speci c device. Vendor and product IDs are device-generated 16-bit hexadecimal numbers (e.g., 0xC123) used to identify USB devices. You’ll need these IDs to approve vendors and products, and a serial number to create a speci c approval. To approve devices on USB Device tab: 1. Select multiple devices and click Approve to create approvals for multiple USB devices. 2. Click Approve under the Approval Status column to approve a speci c USB device. 3. Device information like Vendor ID, Product ID, and Serial Number will be pre- lled for a USB device detected in your environment. Add Additional Details like name of approval and notes. 4. Click Save to add approval. 5. Once saved, the Approval Status will change to Approved, and you can view the approval under the Approvals tab. To add multiple USB devices for approval: 1. On the Approvals tab, click on Upload CSV. 2. Download template for reference or click Upload le and add a CSV le. 3. The le must include vendor_id, product_id, and serial_number. Optionally, you can also include approval_name and notes. 4. Click Upload to add approvals for all USB devices listed in the CSV le. To approve devices on Approvals tab: 1. Click Add Approval to create an approval for a device type or or speci c device.
- 96. 2. Add new Vendor and Product IDs, or select from IDs detected in your environment. Add Additional Details like name of approval and notes. 3. To create a speci c approval, also include the Serial Number. 4. Click Save to add approval. Once you approve the USB devices, enable blocking of unapproved devices on the Policies page. All devices are allowed until blocking is enabled. Block USB devices All detected USB devices will be allowed access until you block unapproved devices on the Policies page. To allow the use of USB devices in your organization, rst approve authorized devices and then enable blocking of unapproved devices on the Policies page. To block all unapproved USB devices: 1. On the Policies page, click the Prevention tab, and open USB Device Blocking. 2. Turn on blocking by selecting Block access to all unapproved USB devices. 3. To apply the same setting to all policies or a speci c set of policies, click Copy setting to other policies. Monitor USB device alerts If an end user attempts to access a blocked USB device, a deny policy action will be triggered, resulting in an alert. View device control alerts on the Alerts page. To manage USB Device Control alerts: 1. On the Alerts page, lter results by selecting USB Device Control in the Type lter. 2. Double-click an alert or click the > to the right of the Actions column to view the expanded right-side panel. In this panel, view device details like vendor ID, product ID, and serial number. 3. Click Approve and approve a blocked USB device, or go to the USB Devices Inventory page to view all devices detected in your environment.
- 97. General Settings De ne the boundaries of your organization’s premises to determine which endpoints are on- or o -premises at the time of an event. Set the required registry key for compatibility with a Windows update. De ne premises Set registry key for Windows update
- 98. De ne premises A device can be considered on-premises if it meets at least one of the following conditions: The device has a relevant Fully Quali ed Domain Name (FQDN) registered on the network adapter. The device has a relevant IP address registered on the network adapter. A home network or remote network device has a matching FQDN or IP address in Reachable Hosts. This means the device is considered on-premises when it is actually o -premises. To de ne premises 1. Click Settings, then General. 2. Add your domain in the DNS su x textbox, then click Add. 3. Alternatively, add a reachable host, then click Add. Note: A device can only be de ned as as o -premises by excluding it from the DNS Su x or Reachable Host lists.
- 99. Set registry key for Windows updates Carbon Black o ers a way to set the required registry key for compatibility with a Windows update. See Windows KB 4072699 (https://support.microsoft.com/en-us/help/4072699/windows-security-updates-and- antivirus-software). To set the registry key 1. Click Settings, then General. 2. Click Send Registry Key. 3. Set ALLOW REGKEY. Each Windows 3.1 sensor or later will install the registry key the next time that it checks in with the Carbon Black Cloud. The following reg key/value is created: Key="HKEY_LOCAL_MACHINE"Subkey="SOFTWAREMicrosoftWindowsCurrentVersionQualityCompat" Value Name="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD" Data="0x00000000" Note: Any user who has administrator rights on the endpoint can manually delete the registry key. Microsoft recommends that the key not be changed or deleted after it is created.
- 100. Manage Users Overview Users added from this page will be given access to the Carbon Black Cloud console. Every console user is assigned to a role. Roles contain varying sets of permissions which dictate the views and actions available to a user. Explore pre-de ned roles or create a custom role on the Roles page. Manage Users Add, modify, or delete users About built-in user roles User role permissions matrix User role permission descriptions Two-factor Authentication and SAML Enable two-factor authentication Enable SAML integration
- 101. Add, modify, or delete users Add new console users, update existing user role assignments, or delete users. Add a console user 1. Click Add User. 2. Enter the details for the new user, including name, email, and role. Click Save. 3. An email is sent to the input email address. The email will prompt the user to log in and create a password. 4. Added users will appear in the table once they have con rmed their login credentials. Modify user details 1. In the Actions column, click Edit in the row of the user you want to modify. 2. Make edits as necessary, then click Save. Delete a user 1. In the Actions column, click the X icon in the row of the user you want to delete. 2. In the con rmation modal, click Delete. Selecting user roles Users are granted speci c permissions based on their assigned role. Six pre-de ned user roles are available for selection. You can also create a to create new roles with speci c permission levels. Reference the user role permission descriptions for additional detail when creating custom roles. Note: Legacy user roles are still available for selection, but will be phased out over time.
- 102. About built-in user roles The Carbon Black Cloud console comes with six pre-de ned, built-in roles to assign to your users. Note: Legacy user roles are still available for selection, but will be phased out over time. View All Users can view pages, export data, and add notes and tags. Suited for new users or users in an oversight capacity. Permissions include: View dashboard data Investigate alerts and view analysis View endpoints, policies, reputations Analyst 1 Users monitor, investigate, and respond to potential threats. Users can also triage alerts and place devices in or out of quarantine. Permissions include: View and quarantine devices Request les for analysis Analyze and dismiss alerts Analyst 2 Users monitor, investigate, and respond to potential threats. Users can also e ect change on endpoints via Live Response, le deletion, and quarantine. Permissions include all Analyst 1 permissions, as well as: Live Response access Manage background scans Delete hashes from endpoints Analyst 3 Users monitor, investigate, and respond to potential threats. Users can also use Live Response and manage application reputations and certs. Permissions include all Analyst 2 permissions, as well as: Live Query access Approve/Ban applications Manage trusted certs System Admin Users are responsible for daily admin activities including adding users, managing sensors, and enabling bypass. Users in this role cannot access Live Reponse, or make global changes, such as modifying policies,
- 103. API keys, and reputations. Super Admin Users have all permissions, including console setup and con guration. Super Admins are the only users who can manage policies, API keys, and sensor group rules. Note: Roles with Live Response permissions do not automatically have the permissions to view or create Live Response API keys. These permissions are separate and can be added when creating a custom role.
- 104. Legacy User Roles Legacy user roles are still available for selection, but will be phased out over time. View only: View alerts; cannot take action on alerts. Some components are hidden from view-only users. Administrator: Full administrative rights; can view and take action on alerts. Live Response Administrator: Full administrator rights; can view and take action on alerts, and use Live Response to remediate issues on endpoints. (Only Live Response Administrators can add new Live Response Administrators.)
- 105. Enable two-factor authentication We recommend that you enable DUO or Google two-factor authentication (2FA) to add an extra layer of security to your organization. As a best practice, open a second tab after logging into the console to make changes to 2FA settings. Enable DUO two-factor authentication Enable Google two-factor authentication Note: You must have at least two users registered in the Carbon Black Cloud console to enable 2FA. Enable DUO 2FA 1. Click Settings, then Users, then DUO Security. 2. Click Con rm to con rm that you want to enable DUO 2FA for everyone in your organization who will sign in to the Carbon Black Cloud console. 3. Enter the DUO Security Settings from your DUO account into the modal. 4. Find the integration key, secret key, and API hostname in DUO. (Applications > + Protect an Application > search "Web SDK" > Protect this Application) 5. Click Submit. Enable Google 2FA 1. Click Settings, then Users, then Google Authenticator. You are prompted to con rm Google 2FA. 2. Sign out, then re-sign in to the Carbon Black Cloud console. 3. Download and install the iOS or Android Google Authenticator app on your mobile device. Open the Google Authenticator app on your mobile device and scan the barcode to complete the Google 2FA setup process. A pop-up modal window con rms that you have activated Google 2FA. 4. Enter the 6-digit code that appears on your mobile device to authenticate into the Carbon Black Cloud console.
- 106. Enable SAML integration We recommend opening up two instances of the Carbon Black Cloud in separate browsers in case something is miscon gured and you are unable to log in using SAML. If this happens, return to the second instance and disable SAML. Then, verify the settings or contact Carbon Black technical support. Enable SAML integration with Ping Identity 1. In each of two Carbon Black Cloud instances, click Settings, Users, then Enabled. 2. In the SAML Con g page, click Other. Leave the Email Attribute Name eld as the value "mail". 3. Log in to your Ping One account https://admin.pingone.com/web-portal/dashboard (https://admin.pingone.com/web-portal/dashboard#). 4. On the Admin dashboard, click the Applications tab, Add application, then New SAML application. 5. Fill in the appropriate elds, click Continue to Next Step, then the I have the SAML con guration tab selected tab. 6. From the Carbon Black Cloud SAML Con g page, enter the ACS eld and the entity ID. Click Continue to Next Step. 7. Click Add new attribute and enter the following elds: mail: Email SAML_SUBJECT: SAML_SUBJECT a. For the mail eld, click Advanced, enter the following elds, then click Save: NameFormat: urn:oasis:names:to:SAML:2.0:attrname-format:basic Attribute Mapping: mail = Email b. For the SAML subject eld, click Advanced, enter the following elds, then click Save: NameFormat: urn:oasis:names:to:SAML:2.0:nameid-format:transient Attribute Mapping: SAML_SUBJECT = SAML_SUBJECT c. Click Save & Publish. d. In the Review Setup section, copy the SAML signing certi cate and paste it into the Carbon Black Cloud SAML Con g page. Copy the SSO URL and paste it into the Carbon Black Cloud SAML Con g page. If your PingOne account email does not match your Carbon Black Cloud user email, con gure your PingOne email login account on the Users tab. 6. On the Carbon Black Cloud SAML Con g page, click Save, then open a new browser tab or window and verify SAML Authentication. Enable SAML integration with OneLogin 1. In each of two Carbon Black Cloud instances, click Settings, Users, then Enabled. 2. In the SAML Con g page, click Other. Leave the Email Attribute Name eld as the value "mail". 3. Go to OneLogin in a second browser and go to Apps > Add Apps in the OneLogin administrator dashboard. 4. Search for "SAML Test Connector" and select and save the rst result from the search results list. OneLogin will open the application Info page. Click the Con guration tab.
- 107. 5. In the display name eld, type "CB PSC". From the Carbon Black Cloud SAML Enabled page, copy the URL from the Audience eld. In Onelogin, paste the copied text into the RelayState, Audience, and Recipient elds. 6. In the Carbon Black Cloud SAML Enabled page, copy the URL from the ACS (Consumer) URL Validator eld. In Onelogin, enter the copied text into the ACS (Consumer) URL Validator eld. 7. In the Carbon Black Cloud SAML Enabled page, copy the URL from the ACS (Consumer) URL eld. In Onelogin.com, paste the copied test into the ACS (Consumer) URL eld. 8. Click Save to save your con guration changes at Onelogin.com. Click the Parameters tab and add the parameter "SAML Test Connector (IdP) Field mail" with "Value Email" (custom parameter). 9. Click the SSO tab. Copy the X.509 Certi cate and paste the value into the X509 Certi cate eld in the Carbon Black Cloud. If you receive a "Request failed with status code 400" error message, try copying the certi cate information line by line into the console. 10. In Onelogin, copy the SAML 2.0 Endpoint (HTTP) eld and paste the value into the Single Sign On URL (HTTP-Redirect Binding) eld in Carbon Black Cloud. Click Save. 11. Open a new browser tab or window and verify SAML authentication. Enable SAML integration with Okta 1. In each of two Carbon Black Cloud instances, click Settings, Users, then Enabled. 2. In the SAML Con g page, click Other. Leave the Email Attribute Name eld as the value "mail". 3. Log in to Okta, click Applications, then Create New App. Set the app type to "SAML2.0", name the app, then click Next. 4. Copy the Audience and ACS URL from the Carbon Black Cloud (these are the same URL) and paste them into both the Single sign on URL and Audience URI (SP Entity ID) elds in Okta. Set the Attribute Statement as "Name=mail", "Name format=Basic"", and "Value=user.email". 5. Select I’m an Okta customer adding an Internal app, then click Finish. 6. Click View Setup Instructions. Copy the value in the Login URL/SignOn URL eld and paste it into the Single Sign On URL eld of the Carbon Black Cloud SAML Con g page. Click Save. 7. Open a new browser tab or window and verify SAML authentication.
- 108. Manage Roles Overview Every Carbon Black Cloud console user is assigned to a role. Roles contain varying sets of permissions which dictate the views and actions available to a user. Assign roles to your console users from the Users page. The console comes with six pre-de ned, built-in roles to choose from. Click the caret next to a role name in the table to view the permissions associated with each role. Manage Roles Add, modify, or delete custom roles About built-in user roles User role permissions matrix User role permission descriptions
- 109. Add, modify, or delete custom roles Create and add custom roles, or modify or delete existing roles. Add a custom role 1. Click Add Role. 2. Enter a unique name and description for the new role. 3. Select a role from the Copy permissions from dropdown to use an existing role as a template. This allows you to add and remove permissions from an existing set of role permissions. 4. Select None from the Copy permissions from dropdown to select permissions without an existing template. 5. Expand the Permissions categories and select or unselect the desired permissions for the role, then click Save. Tip: Click the Duplicate icon next to role in the table to make a copy of that role. Use copied roles to easily make minor adjustments to existing roles. Modify a role 1. In the Actions column, click the Pencil icon in the row of the role you want to modify. 2. Make edits as necessary, then click Save. Delete a role Built-in user roles and custom roles actively assigned to users cannot be deleted. To delete a custom role, you must rst reassign users connected to that role to a new role. 1. In the Actions column, click the X icon in the row of the role you want to delete. 2. In the con rmation modal, click Delete. Export/Download roles In the Actions column, click the Export icon to download a JSON le of a custom role. Use downloaded les to archive or audit changes made to custom roles.
- 110. Permissions Matrix
- 111. Alerts View All Analyst 1 Analyst 2 Analyst 3 System Admin Super Admin Dismiss Alerts X X X X Manage Alerts, Notes, and Tags X X X X X Manage Noti cations X X X X X View Alerts, Notes, and Tags X X X X X X View Noti cations X X X X X X API Keys View All Analyst 1 Analyst 2 Analyst 3 System Admin Super Admin Manage Access Levels X Manage API Keys X View API Keys X X X X X Appliances View All Analyst 1 Analyst 2 Analyst 3 System Admin Super Admin Register workload appliances and send workload assets to CBC X X X X X X View Appliance Details X X X X X X Custom Detections View All Analyst 1 Analyst 2 Analyst 3 System Admin Super Admin Manage Watchlist Feeds X X Manage Watchlists X X View Watchlist Feeds X X X X X X View Watchlists X X X X X X Device Control View All Analyst 1 Analyst 2 Analyst 3 System Admin Super Admin Manage Enforcement X Manage External Devices X X View External Devices X X X X X X Endpoint Management View All Analyst 1 Analyst 2 Analyst 3 System Admin Super Admin Bypass X X Deregister and Delete Sensors X X Export Device Data X X X X X X Get and Delete a Hash from Speci ed Devices X X X X Background Scan X X X X Manage Devices X X Manage Device Assignments X
- 112. Alerts View All Analyst 1 Analyst 2 Analyst 3 System Admin Super Admin Manage Sensor Groups X X Quarantine X X X X View Devices and Sensor Groups X X X X X X Investigate View All Analyst 1 Analyst 2 Analyst 3 System Admin Super Admin Conduct Investigations X X X X X X Export Event Data X X X X X X Live Query View All Analyst 1 Analyst 2 Analyst 3 System Admin Super Admin Use Live Query X X X View Live Query X X X X Live Response View All Analyst 1 Analyst 2 Analyst 3 System Admin Super Admin Use Live Response X X X View Live Response X X X X X X Organization Settings View All Analyst 1 Analyst 2 Analyst 3 System Admin Super Admin Con gure 2FA and SAML X Export Dashboard Data X X X X X X Manage Org Information and Codes X Manage Roles X Manage Users X X X X X View and Export Audit Logs X X X X X Download Sensor Kits X X View 2FA and SAML X X X X X View Org Information and Codes X X X X X X View Users X X X X X X Policy Management View All Analyst 1 Analyst 2 Analyst 3 System Admin Super Admin Manage Policies X View Policies X X X X X X Files and Reputations View All Analyst 1 Analyst 2 Analyst 3 System Admin Super Admin Delete Files X X X Manage Reputations and Auto Banned List X X
- 113. Alerts View All Analyst 1 Analyst 2 Analyst 3 System Admin Super Admin View Reputations X X X X X X Workload Management View All Analyst 1 Analyst 2 Analyst 3 System Admin Super Admin Manage Workloads X X View Workloads X X X X X X
- 115. Alerts Description Dismiss Alerts Dismiss selected alerts. Manage Alerts, Notes, and Tags Add, edit, and delete alerts, notes, and tags. Manage Noti cations Add, edit, and delete noti cations. View Alerts, Notes, and Tags View and search alerts, notes, and tags. View Noti cations Access and view content on Noti cations page. API Keys Description Manage Access Levels Add, edit, and delete access levels. Manage API Keys Add, edit, and delete API keys. View API Keys Access and view content on API Access page. Appliances Description Register workload appliances and send workload assets to CBC Register the Carbon Black Cloud (CBC) workload appliance and send the workload inventory data on the Workloads > VMs without Sensors page. You must have appliance credentials to register the appliance with CBC. View Appliance Details After registration of the Carbon Black Cloud workload appliance, view the appliance details on the API Access > API Keys page. Custom Detections Description Manage Third Party Watchlists Enable or disable reports and IOCs from watchlists curated by Carbon Black and third parties. Manage Watchlists Add, edit, and delete custom watchlists, related reports, and IOCs. Subscribe and unsubscribe from watchlists curated by Carbon Black and third parties. View Third Party Watchlists View all watchlists; custom and curated by Carbon Black and third parties. View Watchlists View the Watchlists page and all available watchlists. Device Control Description Manage Enforcement Turn on/o blocking on the Policies page. “Manage Policies” is required to change policy settings. Manage External Devices Review external devices, create approvals for speci c or multiple USB devices, and manage approvals. View External Devices View USB Devices page and all the detected external devices. Endpoint Management Description Bypass Enable or disable bypass mode on a device. Deregister and Delete Sensors Manage deregistration and uninstall settings for sensors. Export Device Data Export device data to a CSV. Get and Delete a Hash from Speci ed Devices Upload and delete a hash from devices. Background Scan Enable or disable background scan on a device. Manage Devices Add and delete device owners; send activation codes; update sensors and signature versions.
- 116. Alerts Description Manage Device Assignments Assign policies to devices. Manage Sensor Groups Add, edit, and delete sensor groups. Quarantine Enable or disable quarantined state on a device. View Device Info and Sensor Groups View device and sensor group information. Investigate Description Conduct Investigations Use lters and search capability on Investigate page. Export Event Data Export event data from Investigate page to a CSV. Live Query Description Use Live Query Use all Live Query capabilities. Create, execute, and view query results. View Live Query View query results. Live Response Description Use Live Response Use all Live Response capabilities. Initiate sessions and perform actions on enabled endpoints. Requires the "View Live Response" permission. View Live Response Access and view content on the Live Response page. Requires the "Use Live Response" permission. Organization Settings Description Con gure 2FA and SAML Add, edit, and delete two-factor authentication and SAML settings. Export Dashboard Data Export dashboard data to a CSV. Manage Org Information and Codes Create organization settings; set registry key and reset company registration codes. Manage Roles Add, edit, and delete user roles. Manage Users Add, edit, and delete console users; assign roles to users. View and Export Audit Logs View and search audit logs; export audit log data to CSV. Download Sensor Kits Download sensor and signature verison kits. View 2FA and SAML View two-factor authentication and SAML settings. View Org Information and Codes View organization settings, registry key, and company registration codes. View Users View console user information. Policy Management Description Manage Policies Add, edit, and delete policies. View Policies View policies. Files and Reputations Description Delete Files Delete uploaded reputation les. Manage Reputations and Auto-Banned List Add, edit, and delete reputations; con gure auto banned list settings.
- 117. Alerts Description View Reputations View and search reputations; view auto banned list settings. Vulnerability Assessment Description View and Export Vulnerability Data View and export vulnerability data to a CSV. Request Updated Vulnerability Data Refresh the Vulnerabilities page to get the latest data. Workload Management Description Manage Workloads Manage install sensor action for workload VMs. View Workloads Access and view workload inventory data on the Workloads > VMs without Sensors page.
- 118. Manage noti cations Noti cations are generated based on the detection of an alert or policy action. You can con gure noti cations to get emails sent to individuals or to connected systems via API keys. To manage noti cations Add: click Add Noti cation, select noti cation type, then click Add. Edit: click the pencil icon. Delete: click the x icon. View history: click the clock icon. Tip: Select the box next to Send only 1 email noti cation for each threat type per day to reduce the number of emails that you receive. Noti cation types Alert crosses a threshold: Noti es you if an alert crosses a speci ed severity threshold. Alert includes speci c TTPs: Noti es you if an alert exhibits speci c TTPs. You can search and select multiple TTPs. Policy action is enforced: Noti es you if a policy action is enforced. These noti cations can be con gured based on the action taken by the policy and will notify you when an application, process, or network connection has been terminated or denied based on policy rules. Watchlist gets a hit: Noti es you if an IOC is detected in your environment. Note: If you have set up both a TTP-based noti cation and a threat score-based noti cation, you may receive two emails for the same alert. Email addresses must be associated with registered Carbon Black Cloud console users.
- 119. API Access Carbon Black’s Open API platform enables you to integrate with a variety of security products, including SIEMs, ticket tracking systems, and your own custom scripts. Manage API Access and Keys Create Access Levels Use pre-built API keys to integrate with SIEMs through Syslog, directly with Splunk via a Splunk add-on, or integrate with IBM QRadar through a QRadar app. Download pre-built API Keys To nd integration partners, see https://www.carbonblack.com/why-cb/integration-network/ (https://www.carbonblack.com/why-cb/integration-network/) and visit the Carbon Black Developer Network at https://developer.carbonblack.com/ (https://developer.carbonblack.com/).
- 120. Manage API Access and Keys When creating your API Keys, you should understand the following limitations and implications: SIEM API Keys can only receive noti cations through the noti cations API. Use a SIEM API Key to con gure the Splunk add-on, QRadar app, or the Syslog API Key. API Keys can call any API except for the noti cations and Live Response API. Live Response API Keys can call any API except for the noti cations API. API Keys inherit the permissions that are available to the user. Treat the API ID and API secret keys on the API Access page the same as your Carbon Black Cloud console login password. Create, edit, or delete API Keys Add: Click Add API Key, enter the required information, then click Save. Edit: Click the Edit button next to the API Key, make the appropriate changes, then click Save. The access level of an API KEY cannot be changed; a new API Key must be created. Delete: Click the dropdown arrow in the Actions column, then click Delete. API Credentials and Noti cations From the dropdown arrow in the Actions column you can: View Noti cations History View API Credentials Noti cations History Select a timeframe from the dropdown to see all noti cations sent to the API Key within that window. API Keys associated with a noti cation rule cannot be deleted. To delete API Keys with attached noti cation rules 1. Note the API ID of the API Key you would like to delete. 2. Click Settings in the left-side navigation, then click Noti cations. 3. Find the API ID in the Subscribers column. Delete all associated noti cation rules. This should enable you to successfully delete the API Key on the API Access page. API Credentials View the API ID and the API Secret Key of the API Key. If credentials are compromised for an API Key, regenerate the API Secret Key. 1. Click Generate new API secret key in the API Credentials modal. 2. When prompted to con rm generation for the new key, click the Generate arrow icon. 3. The API Secret Key must be re-entered in the integration to take e ect.
- 121. Access Levels Access levels o er the ability to create custom levels of access for your integrations with other security products. Create custom access levels with speci c, granular permissions to apply to an API key. To create an Access level 1. On the Access Levels tab, click Add Access Level. 2. Enter a name and description for your access level. 3. Select the boxes of the permission functions (CRUDE) you wish to include in your access level. Alternatively, you can select an existing access level or a user role from the Copy permissions from dropdown to use as a template. 4. Click Save. To apply an access level to an API key 1. On the API Access tab, click Add API Key. 2. Enter a name for your API Key, then select Custom from the Access level dropdown. 3. From the Custom access level dropdown you will see all user roles and access levels available in your organization. Select an access level to apply to your API Key. 4. Click Save. Note: Selecting a user role for an API key should only be used for testing purposes. User roles may contain unversioned APIs. To see all currently supported and versioned APIs, visit the Carbon Black Developer Network (https://developer.carbonblack.com/reference/cb-defense/).
- 122. Download pre-built API Keys Pre-built API Keys are available for download. Sample API scripts are available to help you create your own integrations. Splunk or Splunk Cloud integration The CB Defense add-on for Splunk pulls noti cations from the Carbon Black Cloud into your Splunk SIEM. https://splunkbase.splunk.com/app/3545/#/details (https://splunkbase.splunk.com/app/3545/#/details). The CB Defense App for Splunk provides two-way integration between Carbon Black Cloud and Splunk, including interactive dashboards and API connectivity. See https://splunkbase.splunk.com/app/3905/#/details (https://splunkbase.splunk.com/app/3905/#/details). The CB Defense Add-On is required before installing the CB Defense App. QRadar integration Visit the IBM X-Force App Exchange at https://exchange.xforce.ibmcloud.com/hub (https://exchange.xforce.ibmcloud.com/hub). Search for "CB Defense App for IBM QRadar" for installation instructions and download links to install the CB Defense integration with IBM QRadar. Syslog integration Carbon Black provides a pre-built Syslog integration to push CB Defense noti cations into other SIEMs that accept CEF or JSON style syslog input. See https://developer.carbonblack.com/reference/cb- defense/connectors/#cb-defense-syslog-connector (https://developer.carbonblack.com/reference/cb- defense/connectors/#cb-defense-syslog-connector). The CB Integration Network website at https://www.carbonblack.com/why-cb/integration-network/ (https://www.carbonblack.com/why-cb/integration-network/) contains information about pre-built integrations from Carbon Black and our technology partners. The Developer Network website at https://developer.carbonblack.com (https://developer.carbonblack.com) contains API reference documentation and other tutorials regarding the Carbon Black Cloud open API. You can use this information to develop your own integrations, as well as install and con gure Carbon Black’s pre-built Splunk and QRadar integrations. The cbapi Python module provides an easy-to-use Python interface to Carbon Black Cloud APIs. The cbapi module is documented at https://cbapi.readthedocs.io (https://cbapi.readthedocs.io) and source code, including example scripts, are available at https://github.com/carbonblack/cbapi-python (https://github.com/carbonblack/cbapi-python). To ask questions or interact with others who are using the APIs, visit the Developer Relations space on the User eXchange at https://community.carbonblack.com/community/resources/developer-relations (https://community.carbonblack.com/community/resources/developer-relations).
- 123. Inbox View the status of sensor-related actions taken on your endpoints and hashes and access uploaded les. When a request to upload a le from an endpoint to the console has been completed, the le will be available for download from this page. Download requested les Upload le restrictions Subtypes Items in your inbox are categorized by the type of request that is sent to the sensor. Bypass: Request to enable "bypass" mode; all policy enforcement on the endpoint is disabled Quarantine: Request to enable "quarantine" mode; isolate an endpoint from the network to mitigate spread of malicious activity Delete Hash: Request to delete an application/ le by hash Upload Hash: Request to upload an application/ le by hash to the console Kill Switch: Request to terminate a live response session Background Scan: Request to initiate a background scan Note: Bypass and Quarantine subtype requests will show either On or O in the Action column to indicate whether the mode is being enabled or disabled on the endpoint. Status The Status of a Subtype request indicates the last known status of the request received from the sensor. Triggered: The request is submitted through the console, but not yet received by the sensor Sent to sensor: The request has been received by the sensor; typically occurs once the sensor has checked into the cloud Success: The request has been completed by the sensor; requested les are available for download Error: The request has failed Download requested les During an investigation, you may come across interesting or suspicious les. You can request to obtain these les from an endpoint for further investigation. This option is available in certain locations across the console by clicking the Take Action button on an application and selecting Request Upload. The request will populate on the Inbox page. When the le is available for download, click the Download icon next to the le name. Uploaded les expire after two weeks. Attempting to download an expired le will result in a timeout error. Note: Not all les are compatible with upload requests. See the list of upload le restrictions.
- 124. Manual upload le restrictions The following le restrictions apply to manual le uploads. Windows Windows does not restrict uploading of script les when Private Logging Level is enabled in the policy. Windows les that have the following le extensions can be uploaded for analysis: .exe .dll .sys .ocx .drv .scr .pif .ex_ .msi .vb .vbs .jar macOS MacOS scripts are not uploaded if Private Logging Level is enabled in the policy. If Allow Executable Uploads for Scans is not selected, all script uploads are disabled regardless of type. Common macOS object types can be uploaded for analysis: Perl Python Ruby Shell TCL PHP Applescript The following objects cannot be uploaded: Files in the /etc directory Files that contain the following extensions: .class .js .pkg and .dmg with a le size of > 20MB Scripts (when Private Logging Level is enabled) Document les including:
- 125. Keynote PDF MS O ce Open O ce (determined by both magic and extension) Files that do not contain a Magic Cookie (the rst four bytes of a le that identi es the special le format)
- 126. Audit Log Use the Audit Log to review actions performed by Carbon Black Cloud console users. By default, the Audit Log will show entries in the Standard view for 2 weeks. To increase or decrease the level of granularity of log entries, choose from the three available log views. Flagged: View entries agged as important, such as failed login attempts and locked accounts. Standard: View all actions performed by console users, including actions taken on policies, sensor groups, alerts, etc. Includes all entries shown in the Flagged view. Verbose: View all audit log entries in the given time frame, including all page loads. Includes all entries shown in the Flagged and Standard views. To expand the scope of your search, choose an option from the time frame dropdown to view entries speci cally during that period. Select Custom to create your own time frame Select All available to display data from the last 13 months, if available