Professional Documents
Culture Documents
02 - Carbon Black Cloud - Endpoint Advanced User Guide
02 - Carbon Black Cloud - Endpoint Advanced User Guide
Carbon Black is a registered trademark and/or trademark of VMware, Inc. in the United States and other
countries. All other trademarks and product names be the trademarks of their respective owners.
This document is for use by authorized licensees of Carbon Black’s products. It contains the con dential and
proprietary information of Carbon Black, Inc. and may be used by authorized licensees solely in accordance
with the license agreement and/or non-disclosure agreement governing its use. This document may not be
reproduced, retransmitted, or redistributed, in whole or in part, without the written permission of Carbon
Black. Carbon Black disclaims all liability for the unauthorized use of the information contained in this
document and makes no representations or warranties with respect to its accuracy or completeness. Users
are responsible for compliance with all laws, rules, regulations, ordinances and codes in connection with the
use of the Carbon Black products.
THERE IS NO WARRANTY FOR THE SOFTWARE, TO THE EXTENT PERMITTED BY APPLICABLE LAW, EXCEPT AS
OTHERWISE EXPRESSLY STATED IN A WRITTEN END USER LICENSE AGREEMENT BETWEEN CARBON BLACK
AND LICENSEE. THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE SOFTWARE "AS IS"
WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK
AS TO THE QUALITY AND PERFORMANCE OF THE SOFTWARE IS WITH LICENSEE. SHOULD THE SOFTWARE
PROVE DEFECTIVE, EXCEPT AS OTHERWISE AGREED TO BY CARBON BLACK IN THE APPLICABLE END USER
LICENSE AGREEMENT, LICENSEE ASSUMES THE COST OF ALL NECESSARY SERVICING, REPAIR OR
CORRECTION.
Carbon Black acknowledges the use of the following third-party software in its software product:
Backbone - (c) 2010–2012 Jeremy Ashkenas, DocumentCloud Inc. Beautifulsoup - Copyright (c) 2004–
2015 Leonard Richardson
D3 - Copyright (c) 2010–2015, Michael Bostock FileSaver - Copyright (c) 2015 Eli Grey.
Detours Professional 3.0 License - Copyright (c) Microsoft Corporation. All rights reserved. Portions are
covered by patents owned by Microsoft Corporation.
Heredis - Copyright (c) 2009–2011, Salvatore San lippo and Copyright (c) 2010–2011, Pieter Noordhuis
Java memcached client - Copyright (c) 2006–2009 Dustin Sallings and Copyright (c) 2009–2011
Couchbase, Inc.
jQuery - Copyright 2005, 2014 jQuery Foundation, Inc. and other contributors
Libcurl - Copyright (c) 1996 - 2015, Daniel Stenberg, daniel@haxx.se. libfreeimage.a - FreeImage open
source image library.
Meld3 - Supervisor is Copyright (c) 2006–2015 Agendaless Consulting and Contributors. moment.js -
Copyright (c) 2011–2014 Tim Wood, Iskren Chernev, Moment.js contributors MonthDelta - Copyright (c)
2009–2012 Jess Austin
nginx - Copyright (c) 2002–2014 Igor Sysoev and Copyright (c) 2011–2014 Nginx, Inc. OpenSSL -
Copyright (c) 1998–2011 The OpenSSL Project. All rights reserved.
OpenSSL - Copyright (c) 1998–2016 The OpenSSL Project, Copyright (c) 1995–1998 Eric Young, Tim
Hudson. All rights reserved.
PostgreSQL - Portions Copyright (c) 1996–2014, The PostgreSQL Global Development Group and
Portions Copyright (c) 1994, The Regents of the University of California
PostgreSQL JDBC drivers - Copyright (c) 1997–2011 PostgreSQL Global Development Group Protocol
Buffers - Copyright (c) 2008, Google Inc.
Python gunicorn - Copyright 2009–2013 (c) Benoit Chesneau benoitc@e-engura.org and Copyright
2009–2013 (c) Paul J. Davis paul.joseph.davis@gmail.com
Python haigha - Copyright (c) 2011–2014, Agora Games, LLC All rights reserved. Python hiredis -
Copyright (c) 2011, Pieter Noordhuis
Python html5 library - Copyright (c) 2006–2013 James Graham and other contributors Python Jinja -
Copyright (c) 2009 by the Jinja Team
Python Markdown - Copyright 2007, 2008 The Python Markdown Project Python ordereddict -
Copyright (c) Raymond Hettinger on Wed, 18 Mar 2009
Python psutil - Copyright (c) 2009, Jay Loden, Dave Daeschler, Giampaolo Rodola’
Python Seasurf - Copyright (c) 2011 by Max Countryman. Python simplejson - Copyright (c) 2006 Bob
Ippolito
Python sqlalchemy - Copyright (c) 2005–2014 Michael Bayer and contributors. SQLAlchemy is a
trademark of Michael Bayer.
Python sqlalchemy-migrate - Copyright (c) 2009 Evan Rosson, Jan Dittberner, Domen Kozar Python
tempita - Copyright (c) 2008 Ian Bicking and Contributors
Python werkzeug - Copyright (c) 2013 by the Werkzeug Team, see AUTHORS for more details. QUnitJS -
Copyright (c) 2013 jQuery Foundation, http://jquery.org/ (http://jquery.org/)
RabbitMQ - Copyright (c) 2007–2013 GoPivotal, Inc. All Rights Reserved. redis - Copyright (c) by
Salvatore San lippo and Pieter Noordhuis
Rekall - Copyright (c) 2007-2011 Volatile Systems, Copyright (c) 2013-2016 Google Inc. All Rights
Reserved.
Simple Logging Facade for Java - Copyright (c) 2004–2013 QOS.ch Six - Copyright (c) 2010–2015
Benjamin Peterson
Spymemcached / Java Memcached - Copyright (c) 2006–2009 Dustin Sallings and Copyright (c) 2009–
2011 Couchbase, Inc.
Permission is hereby granted, free of charge, to any person obtaining a copy of the above third-party
software and associated documentation les (collectively, the "Software"), to deal in the Software without
restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,
and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:
The above copyright notices and this permission notice shall be included in all copies or substantial portions
of the Software.
THE SOFTWARE LISTED ABOVE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Email: support@carbonblack.com
Attack Stages
Attacks by Vector
Endpoint Health
Attacks Stopped
A summary of attacks that were stopped within the speci ed time frame and policy, due to a policy setting.
Click any attack type to open the Alerts page for that type of attack.
Non-Malware: Processes that were stopped due to your local banned list or malicious behavior,
including dual-use les and tools. This includes the case where the reputation is good (for example, a
PowerShell or Winword.exe le), but it is behaving badly.
Potential Malware: Processes that could be a vessel for malware but do not have a reputation for
malicious behavior. This could include MSBuild, InstallUtil, MSHTA.exe, and others.
Malware: Files identi ed as having no purpose other than performing malicious actions on an
endpoint for the bene t of an attacker.
PUPs: Potentially Unwanted Programs. In the best case, PUPs produce annoying results (delivering
popup ads), but are sometimes used to deliver malware.
Attack Stages
Click any bar in the Attack Stages bar graph to access the Alerts page and view more details about the
associated alerts.
Attacks by Vector
The vectors through which attacks occurred within the speci ed time frame and policy. Click any percentage
to open the Alerts page for the selected type of vector.
Only attacks with known vectors are displayed in this widget; all attacks with unknown vectors are omitted
from the display. Attacks with unknown vectors are still factored into the percentage calculations, which may
cause the widget percentages to be less than 100%.
Endpoint Health
The status of sensors on the endpoints. Click any status to go to the Endpoints page and view the deployed
sensors that are in the selected state. Red text indicates that a sensor might require some action.
Deregistered: Sensor was uninstalled. It will persist on Endpoints as a deregistered device until
removed
Quarantined: Sensor is isolated from a ecting your network with malware or other suspicious activity
Bypass: Sensor is not sending data to the cloud or is placed here temporarily during an update
To add a widget, click More Widgets and select a widget to drag and drop onto the dashboard.
Time frame: Set the time frame to view data speci cally during that window. Select an existing
window or create a custom one. Selecting All available from the dropdown will display the last 13
months of data, if available.
Note: The Endpoint Health widget is not a ected by the time window and optional data ltering.
Alert severity: Set the severity score to show only a certain range of values. The default value is 3. All
alerts with the selected or higher severity score will display.
Group alerts: Set Group alerts to ON or OFF to view like alerts collectively or individually. The default
value is OFF.
Include other observed activity: Other observed activity indicates interesting activity that has not
been raised to the level of an alert. This is disabled by default.
Include dismissed alerts: Alerts that have been previously dismissed. This is disabled by default.
Click Export All to export all the data on the dashboard page to a CSV le. Alternatively, download any
individual data set by clicking the down-arrow in that widget.
Alerts
Overview
Regularly review alerts to determine whether action needs to be taken or policies need to be modi ed.
Alert Details
To expand and view alert details, double-click and alert row in the table.
Group alerts
TTP Reference
MITRE Techniques Reference
Dismiss alerts
Note: Advanced Scripting Prevention alerts do not have access to the Alert Triage page.
Search Help
Search Basics
Note: Timestamps within the console are displayed in the user's local time zone. Hover over timestamps to
view your local time in relation to the UTC time zone.
Alert details, types, and severity
Alert details
To view more details, double-click an alert or click the > to the right of the Actions column.
The expanded, right-side panel includes sections for more information on the alert's primary process and
device.
Click Show details to further expand each section. View or add alert notes and tags at the bottom of the
expanded right-panel in the Notes & Tags section.
In the table, the Status column will show Policy Applied with a red shield icon if an action was taken by a
policy on the alert.
Alert types
Alerts can come from two sources: USB Device Control or CB Analytics. View alerts from each source by
using the Type lter.
1. On the Alerts page, lter results by selecting USB Device Control in the Type lter.
2. Double-click an alert or click the > to the right of the Actions column to view the expanded right-side
panel. In this panel, view device details like vendor ID, product ID, and serial number.
3. Click Approve and approve a blocked USB device, or go to the USB Devices Inventory page to view all
devices detected in your environment.
CB Analytics alerts
CB Analytics alerts are detections generated by the Carbon Black Cloud analytics engine. These alerts are
further separated into two categories, indicated by the color of the alert:
Threat: Coded with the color red, located in the Priority lter. These alerts are highly likely to be
malicious activity. All Watchlists alerts are grouped in the Threat category.
Observed: Coded with the color yellow, located in the Other Activity lter. These alerts are observed
behaviors which have not been escalated to a degree which would indicate a threat or require action.
Useful for additional context when conducting investigations.
We recommend only selecting the Threat box in the lters panel when reviewing your queue of CB Analytics
alerts to help prioritize and focus your analysis.
Alert severity
Alert severity indicates the relative importance of an alert.
Click the S column to sort the alerts in your queue by severity score and identify which alerts might require
immediate attention.
Severity 1-2: Activities such as port scans, malware drops, changes to system con guration les,
persistence, etc.
Severity 3-5: Activities such as malware running, generic virus-like behavior, monitoring user input,
potential memory scraping, password theft, etc.
Severity 6-10: Activities such as reverse command shells, process hollowing, destructive malware,
hidden processes and tool sets, applications that talk on the network but should not, etc.
Target value
The target value acts as a multiplier when calculating the threat level of an alert. Target values are de ned by
the policy to which an endpoint belongs.
The target value is indicated by the number of lled bars under the T column in the alerts table.
Medium: Two bars. The baseline target value; does not add a multiplier.
High/Mission Critical: Three or four bars. Both values increase the threat level under the same
circumstances. You may see two or more alerts with identical descriptions but with di erent alert
severities.
Group alerts
About grouped alerts
Similar alerts may be seen across multiple endpoints. Use the Group alerts toggle in the top right of the
table to group all similar alerts occuring across multiple endpoints into a single row.
Group alerts: O
By default, the toggle is turned O . In this view, all alerts are displayed individually in a single alert row, even
if an alert is seen on multiple devices.
Alerts can only be sorted by severity when the toggle is turned O . We recommend this view to identify alert
prioritization, or when actions need to be taken on an individual alert.
Group alerts: On
Grouped alerts are condensed into a single, alert row. Click the Devices icon in the Actions column of a
grouped alert row to view all alerts within the grouping, across all devices.
Alerts cannot be sorted by severity when the toggle is turned On. We recommend using the toggle On to
identify the prevalence of similar alerts across your organization, or to e ciently dismiss alerts across
multiple devices.
When grouped, these alerts represent a singular, collective "alert grouping" or "threat", identi ed by its
Threat ID. Alerts are grouped by their detected primary process and alert reason.
Note: Threat ID is not currently displayed in the console. However, it can be retrieved from the URL when
viewing an alert on the Alert Triage page.
Dismiss alerts
To dismiss alerts
1. Turn Group Alerts to OFF to dismiss alerts on a single device; turn Group Alerts to ON to dismiss
alerts on multiple devices.
2. Select the alerts you want to dismiss.
3. Click Dismiss Alert(s).
4. To dismiss all future occurrences of an alert, select If this alert occurs in the future, automatically
dismiss it on all devices. Email noti cations are not associated with alert dismissals. You will still
receive email noti cations for automatically dismissed future alerts.
5. Select a reason for the dismissal and use the open text box to include notes for the audit log entry. Click
Dismiss.
Note: Alerts can present di erent SHA-256 hashes. To dismiss an alert on multiple devices, the hash of the
object must be the same.
1. Select the checkbox in the top-left corner of the Alerts table to select all alerts listed on the page.
2. Click select all in the header prompt to select all alerts across all pages.
3. Click Dismiss Alert(s).
4. To dismiss all future occurrences of an alert, select If this alert occurs in the future, automatically
dismiss it on all devices. Email noti cations are not associated with alert dismissals. You will still
receive email noti cations for automatically dismissed future alerts.
5. Select a reason for the dismissal and use the open text box to include notes for the audit log entry. Click
Dismiss.
Search Basics
Value Search
Use complete values when searching (e.g., powershell) or a trailing wildcard (e.g., power*).
Search Fields
e.g., parent_name:powershell.exe
Wildcards
e.g., process_name:.exe
Wildcards can be used in a path if you don’t quote the value and escape the following special characters with
a backslash: + - && || ! ( ) { } ^ " ~ * ? : /
Operators
Escaping
Slashes, colons, and spaces must be manually escaped, except when using suggestions and lters.
Date/Time Ranges
Count Searches
Visualizing alerts
Dismiss or undismiss
Click Dismiss or Undismiss to take the desired action on an alert. Use the arrow buttons to quickly scroll
between alerts. Dismiss alerts across devices or in bulk on the Alerts page.
Quarantining the device prevents suspicious activity and malware from a ecting the rest of your network. A
device remains in quarantine until it is removed from the quarantined state. It can take several minutes to
place a device in quarantine.
Live Response is available on endpoints running a version 3.0 or later sensor and which have been assigned
a policy with Live Response enabled. Live Response can be used on devices in bypass mode or quarantine.
Visualizing alerts
Access a visualization, or process tree, of your alerts by clicking the Alert Triage icon from the Alerts page.
Each event in the attack stream (process, le, or network connection) is shown in the process tree as a node
with the attack origin displayed on the left and each subsequent event shown from left to right as the attack
progressed.
Click a node to view additional information and take action in the Selected Node collapsible panel.
Node Types
Operating System/Root Node: The root node at the far left of the process tree represents the host
device on which the original activity took place. The root node icon represents the operating system
that was running on the device.
Note: If an operation is denied, an exclamation point (!) displays next to the denied process. If a process is
terminated, an X displays next to the terminated process.
Line Types
Invoked: A solid line indicates that one process invoked another process, le, or network connection.
Injected: A dashed line indicates that one process injected code into another process.
Read Memory: A dotted and dashed line indicates that one process attempted to read the virtual
memory of another process (but did not inject into the process).
Accessed Target: A dotted line indicates that one process attempted to enter another process (but
did not inject into the process).
Alert origin, behaviors, and TTPs
Access origin and behavior details about your alerts by clicking the Alert Triage icon.
Alert origin: Describes how the primary process for the alert was introduced onto the host, including
information about how the primary process was written to disk.
Alert behaviors based on severity: Describes alert behaviors based on severity and displays an interactive
TTP graph. Segments of the graph indicate the . Click a category label or graph segment to see a category’s
related TTPs, color coded by severity.
Orange: Medium
Yellow: Low
Gray: None
Example: Attempts to persist beyond the reboot of a device and enumerating the running
processes on a system.
Data at Risk: Behaviors with intent to compromise the con dentiality, availability, or integrity of data
on endpoints.
Example: Ransomware-type behaviors or attempts to access user credentials.
Malware & Application Abuse: TTPs that are related to les with a generally known "bad" reputation,
or applications seen executing les with known bad reputations.
Note: This category also represents the monitoring of the execution of system applications.
However, these TTPs are given a lower priority rating because of the high likelihood of being
non-malicious actions.
Network Threat: Contains all TTPs that involve a process that is either communicating over the
network or listening for incoming connections.
Investigate
Investigate and analyze the details of every event stored in the Carbon Black Cloud, including all failed and
successful operations performed by applications and processes on endpoints.
Process details
Learn more about accessing details about your events and processes, how to take action, and about the
data that populates from your search results.
Search basics
Use the advanced search capabilities on this page to nd more detailed information about alerts, conduct
investigations, and gain org-wide visibility into the prevalence of events and processes running in your
environment.
Use the Search Guide at the top of the page to access a full list of available search terms to help you create
advanced queries.
Value Search
Use complete values when searching (e.g., powershell) or a trailing wildcard (e.g., power*).
Search Fields
e.g., parent_name:powershell.exe
Wildcards
e.g., process_name:.exe
Wildcards can be used in a path if you don’t quote the value and escape the following special characters with
a backslash: + - && || ! ( ) { } ^ " ~ * ? : /
Operators
Slashes, colons, and spaces must be manually escaped, except when using suggestions and lters.
Date/Time Ranges
Count Searches
Four tabs, each with a focused perspective, o er alternative ways to view information about the events in
your environment.
Events
Applications
Devices
Network
Note: Timestamps in the console are displayed in the user's local time zone. Hover over timestamps to view
the local time relative to the UTC time zone.
Events
The Events tab is the default view. It shows every event stored in the Carbon Black Cloud, including all failed
and successful operations performed by applications and processes on endpoints.
Click the caret to open up additional process and event type information in the right-side panel.
Click the dropdown arrow next to the process name to take action on the process.
Click More to view additional device details and take action on the device.
Title Description
Type The type of event. Types include: childproc (child process), lemod ( le modi cation), netconn (network connection), crossproc (cross
process), and regmod (registry modi cation).
Event Details associated with the event, including the application/process path, what occurred during the event, and whether the operation
was successful or not.
Applications
The Applications tab displays the total number of events associated with each unique hash.
Hash The SHA-256 of the application/process. Click the hyperlinked hash to search by SHA-256 hash on the Events tab.
Application The name and path of the application/process. Click the hyperlinked name to search by application/process name on the
Events tab.
E ective The reputation of the application/process hash as applied by the sensor at the time the event occurred.
Reputation
Current Cloud The real-time reputation of the application/process hash reported by the Carbon Black Cloud.
Reputation
Events The total number of events associated with the application/process hash. Click the hyperlinked number to search by
SHA-256 hash on the Events tab.
Devices The number of devices the hash has been detected on.
Devices
The Devices tab displays the total number of events associated with each device in your environment.
Title Description
Device The registered name of the device. Click the hyperlinked device name to see additional device details and to take action, including
enable/disable bypass and quarantine/unquarantine the device.
Policy The policy group to which the device is registered. Click the hyperlinked policy name to view the policy on the Policies page.
Group The sensor group to which the device is assigned, if applicable. Sensor groups can be viewed and managed on the Endpoints page.
Events The total number of events associated with the device. Click the hyperlinked number to search by device ID on the Events tab.
Network
The Network tab displays all network related events associated with each device and application/process in
your environment.
Click the caret to open up additional process and network connection information in the right-side panel.
Click the dropdown arrow next to the process name to take action on the process.
Click More to view additional device details and take action on the device.
Title Description
Device The registered name of the device. Click the hyperlinked device name to see additional device details and to take action,
including enable/disable bypass and quarantine/unquarantine the device.
Process The name and path of the application/process. Click the hyperlinked name to see a visualization of the network connection on
the process tree.
Port Destination port of the network connection initiated or received by the process.
TTPs and MITRE Techniques
Tactics, Techniques, and Procedures (TTPs) are behaviors, methods, or patterns of activity used by a
threat actor, or group of threat actors.
MITRE Techniques are derived from MITRE ATT&CK™. This framework provides a list of common tactics,
techniques, and procedures that can be used to discover potential threats and identify areas of risk and
improvement in your environment. The framework is comprised of 12 Tactics and over 300 Techniques,
which adversaries use to compromise systems and enterprises.
MITRE Techniques
Events and alerts may also be tagged with MITRE Techniques, derived from MITRE ATT&CK™.
MITRE techniques appear alongside TTPs and always have a "mitre_" pre x, followed by the Technique ID,
and the Technique name. They present as hollow pills with a colored border, based on severity.
Events and alerts are tagged with TTPs to provide context around attacks and behaviors leading up to
attacks that are detected and prevented by policy actions. Events and alerts may also be tagged with MITRE
Techniques. See the MITRE Techniques Reference for a full list of MITRE techniques in the Carbon Black
Cloud console.
Important: VMware Carbon Black is replacing the terms blacklist and whitelist with banned list and
approved list. Notice will be provided in advance of terminology updates to APIs, TTPs, and Reputations.
Tag Where Category How It’s Set Description
It’s
Detected
ACCESS_CALENDAR Sensor Data at Risk A lesystem lter driver is set to Access the calendar
(Severity: Medium) identify a read access based on application data les. For
target le extension. example Outlook.
ACCESS_CLIPBOARD Sensor Data at Risk The Win32 API Access clipboard application
(Severity: Medium) GetClipboardData() is called. data.
ACCESS_CONTACTS Sensor Data at Risk A lesystem lter driver is set to Access contact list/phone
(Severity: Medium) identify a read access based on list application data.
target le extension.
ACCESS_DATA_FILES Sensor Data at Risk A lesystem lter driver is set to Access data les.
(Severity: Medium) identify a read access based on
target le extension.
ACCESS_EMAIL_DATA Sensor Data at Risk A lesystem lter driver is set to Access email contents.
(Severity: Medium) identify a read access based on
target le extension.
ADAPTIVE_WHITE_APP Analytics Malware & A hash lookup has identi ed an An unknown application
(Severity: None) Application executable with reputation: that scanned clean.
Abuse ADAPTIVE_WHITE_APP. App is
also (not signed) and (new i.e.
age < 30 days).
CODE_DROP Sensor Malware & A lesystem lter driver is set to Application dropped an
(Severity: Medium) Application identify the creation of a new executable or script.
Abuse binary or script, based on target
le extension.
COMPANY_BLACKLIST Sensor Malware & The hash of an binary has been Application is on the
(Severity: High) Application banned from executing, placed company banned list.
Abuse on the COMPANY_BLACKLIST.
Tag Where Category How It’s Set Description
It’s
Detected
COMPROMISED_PARENT Sensor Process Userland hooks are set to Parent process has been
(Severity: None) Manipulation identify processes that compromised due to
complete bu er over ow, process modi cations such
process hollowing or code as bu er over ow, code
injection by compromised app injection, or process
such as, email, o ce, or hollowing.
browsers apps.
COMPROMISED_PROCESS Sensor Process Userland hooks are set to Process has been
(Severity: Medium) Manipulation identify processes that compromised due to
complete bu er over ow, process modi cations such
process hollowing or code as bu er over ow, code
injection by compromised app injection, or process
such as, email, o ce, or hollowing.
browsers apps.
COPY_PROCESS_MEMORY Sensor Data at Risk Userland hooks are set to Application took a memory
(Severity: High) identify an application that took snapshot of another
a memory snapshot of another process
process.
DETECTED_BLACKLIST_APP Sensor & Malware & Hash of discovered executable A Blacklisted application has
(Severity: High) Analytics Application has reputation: been detected on the
Abuse COMPANY_BLACKLIST. lesystem.
DETECTED_MALWARE_APP Sensor & Malware & Hash or local scan of Malware application has
(Severity: High) Analytics Application discovered executable has been detected on the
Abuse reputation: KNOWN_MALWARE lesystem.
DETECTED_PUP_APP Sensor & Malware & Hash or local scan of Potentially Unwanted
(Severity: High) Analytics Application discovered executable has Application (PUP) has been
Abuse reputation: PUP detected on the lesystem.
DETECTED_SUSPECT_APP Sensor & Malware & Hash or local scan of Suspect Application has
(Severity: High) Analytics Application discovered executable has been detected on the
Abuse reputation: SUSPECT_MALWARE lesystem.
DUMP_PROCESS_MEMORY Sensor Data at Risk Userland API hooks are set to Application created a
(Severity: Medium) detect a process memory memory dump of another
dump. process on the lesystem
EMAIL_CLIENT Sensor Network A network lter driver is set to Non-Email application (i.e.
(Severity: Low) Threat identify client connections that unknown) is acting like an
use an email protocol email client and sending
(e.g.SMTP, SMTPS, POP3, data on an email port.
POP3S. IMAP, IMAP2, IMAPS).
ENUMERATE_PROCESSES Sensor Generic Userland API hooks are set to Process is attempting to
(Severity: Medium) Suspect detect process enumeration. obtain a list of other
processes executing on the
host.
Tag Where Category How It’s Set Description
It’s
Detected
HAS_BUFFER_OVERFLOW Sensor Emerging Userland hooks are set to This process has exhibited a
(Severity: Low) Threats identify API calls from writeable bu er over ow.
memory
HAS_INJECTED_CODE Analytics Process The analytics keeps track if a The process is running
(Severity: None) Manipulation process has been compromised injected code.
and then injects code into
another process.
HAS_PUP_CODE Sensor Process A PUP_APP has performed a Process has been injected
(Severity: High) Manipulation process injection using one of a into by a PUP.
variety of techniques.
HAS_SUSPECT_CODE Sensor Process A SUSPECT_APP has performed Process has been injected
(Severity: High) Manipulation a process injection using one of into by suspect malware.
a variety of techniques.
HOLLOW_PROCESS Sensor Process Multiple user level hooks are A technique used to hide
(Severity: None) Manipulation set to identify a speci c the presence of a process,
sequence of calls that indicate a typically performed by
process is being replaced with creating a suspended
another. process, replacing it with a
malicious one.
IMPERSONATE_SYSTEM Analytics Process Is set when the username that Tracks the username that is
(Severity: None) Manipulation is associated with a process associated with a process
changes during the course of and watches for change of
execution to NT associated username to
AUTHORITY\SYSTEM. system/root.
IMPERSONATE_USER Analytics Process Is set when the username that Tracks the username that is
(Severity: None) Manipulation is associated with a process associated with a process
changes during the course of and watches for change of
execution to something other associated username from
than NT AUTHORITY\SYSTEM. system/root to that of
another user.
INDIRECT_COMMAND_EXECUTION Sensor Malware & Various system utilities may System utility used to
(Severity: Low) Application have been used to execute indirectly execute another
Abuse commands, possibly without command.
invoking cmd.
INSTALL Sensor Generic A lesystem lter driver is set to Install process is running.
(Severity: Low) Suspect identify the creation of new
binaries or scripts based on
target le extension by installer
executable
KNOWN_APT Sensor & Malware & A hash lookup has identi ed a Application is Advanced
(Severity: Critical) Analytics Application running executable that has Persistent Threat.
Abuse reputation: KNOWN_MALWARE,
category: APT
KNOWN_BACKDOOR Sensor & Malware & A hash lookup has identi ed a Application is a known
(Severity: Critical) Analytics Application running executable that has backdoor into the system.
Abuse reputation: KNOWN_MALWARE,
category: backdoor
Tag Where Category How It’s Set Description
It’s
Detected
KNOWN_DOWNLOADER Sensor & Malware & A hash lookup has identi ed a Application is a known
(Severity: Critical) Analytics Application running executable that has malicious downloader.
Abuse reputation: KNOWN_MALWARE,
category: downloader
KNOWN_DROPPER Sensor & Malware & A hash lookup has identi ed a Application is a known
(Severity: Critical) Analytics Application running executable that has dropper of executables
Abuse reputation: KNOWN_MALWARE,
category: dropper
KNOWN_KEYLOGGER Sensor & Malware & A hash lookup has identi ed a Application known to
(Severity: Critical) Analytics Application running executable that has monitor keyboard input.
Abuse reputation: KNOWN_MALWARE,
category: keylogger
KNOWN_PASSWORD_STEALER Sensor & Malware & A hash lookup has identi ed a Application known to steal
(Severity: Critical) Analytics Application running executable that has passwords.
Abuse reputation: KNOWN_MALWARE,
category: password stealer
KNOWN_RANSOMWARE Sensor & Malware & A hash lookup has identi ed a Application is known
(Severity: Critical) Analytics Application running executable that has Ransomware.
Abuse reputation: KNOWN_MALWARE,
category: ransomware
KNOWN_ROGUE Sensor & Malware & A hash lookup has identi ed a Application is known as a
(Severity: Critical) Analytics Application running executable that has rogue application.
Abuse reputation: KNOWN_MALWARE,
category: rogue
KNOWN_ROOTKIT Sensor & Malware & A hash lookup has identi ed a Application is a known root
(Severity: None) Analytics Application running executable that has kit.
Abuse reputation: KNOWN_MALWARE,
category: rootkit
KNOWN_WORM Sensor & Malware & A hash lookup has identi ed a Application is a known
(Severity: Critical) Analytics Application running executable that has worm.
Abuse reputation: KNOWN_MALWARE,
category: worm
LEVERAGES_SYSTEM_UTILITY Analytics Emerging Various system utilities may A system utility was used for
(Severity: High) Threats have been used to perform potentially malicious
malicious activity. purposes.
LOW_REPUTATION_SITE Analytics Network A network lter driver is set to Application made a network
(Severity: Medium) Threat identify connections to a peer connection to a peer with
IP address or Domain that has low reputation.
a low site reputation score
MALWARE_APP Analytics Malware & A hash lookup or local scanner Application is a known
(Severity: Critical) Application has identi ed a running Malware application.
Abuse executable that has reputation:
MALWARE
MALWARE_SERVICE_DISABLED Sensor Policy Action The analytics receives this info Malware service detected
(Severity: Not applicable) from the sensor and sets this and disabled by a policy.
value accordingly.
MALWARE_SERVICE_FOUND Sensor Policy Action The analytics receives this info Malware service detected by
(Severity: Not applicable) from the sensor and sets this a policy.
value accordingly.
Tag Where Category How It’s Set Description
It’s
Detected
MODIFY_KERNEL Sensor Process A userland hook has identi ed Application modi ed system
(Severity: Critical) Manipulation a process that modi ed kernel kernel.via NullPage
space Allocation
MODIFY_MEMORY_PROTECTION Sensor Process A userland hook is set to detect Application modify memory
(Severity: Medium) Manipulation a process modifying the protection settings for the
memory permissions of a process.
secondary process
NON_STANDARD_PORT Sensor Network Network lter driver veri es The process of passing
(Severity: None) Threat ports for common protocols. network tra c on an
Identi es non-trusted alternative port to which it
applications from making non- was assigned by the IANA
http requests. Internet Assigned Numbers
Authority (IANA); for
example, passing FTP on
port 8081 when it is
normally con gured to
listen on port 21.
OS_DENY Sensor Operating Analytics receives this info from The attempted action was
(Severity: None) System the sensor and sets this value denied by the operating
Action accordingly. system.
POLICY_DENY Sensor Policy Action The analytics receives this info The attempted action was
(Severity: Not applicable) from the sensor and sets this denied due to policy.
value accordingly.
POLICY_TERMINATE Sensor Policy Action The analytics receives this info The process was terminated
(Severity: Not applicable) from the sensor and sets this due to policy.
value accordingly.
PRIVILEGE_ESCALATE Analytics Process Is set when the username that Checks to see whether the
(Severity: None) Manipulation is associated with a process actual SYSTEM privilege is
changes during the course of associated with the process
execution to “NT (not just the username
AUTHORITY\SYSTEM” or the context).
process has gained the admin
privilege.
PROCESS_IMAGE_REPLACED Sensor Process Userland hooks watch for Application has had its
(Severity: None) Manipulation speci c APIs being invoked that primary executable code
involve overwriting of the main replaced with other code.
executable section of a process,
and other related
manipulations such as
suspending and unmapping
sections.
PUP_APP Analytics Malware & A hash lookup or local scanner Application is a Potentially
(Severity: High) Application has identi ed a running Unwanted Program.
Abuse executable that has reputation:
PUP
RAM_SCRAPING Sensor & Data at Risk User land hook is set to detect When a process tries to
(Severity: Medium) Analytics an application’s attempt to read scrape the memory utilized
process memory. by another process.
READ_PROCESS_MEMORY Sensor Data at Risk A userland hook is set to detect Application is attempting to
(Severity: Medium) applications attempting to read read process memory.
process memory.
READ_SECURITY_DATA Sensor Data at Risk A userland hook is set to detect Application is attempting to
(Severity: High) an application attempting to read privileged security
read privileged security information (for example,
information. lsass.exe).
Tag Where Category How It’s Set Description
It’s
Detected
REVERSE_SHELL Sensor & Emerging A userland hook is set to Command shell (e.g.
(Severity: High) Analytics Threats identify a process that reads cmd.exe) interactively
from or writes to console via a receiving commands from a
network connection network parent
RUN_UNKNOWN_APP Sensor Malware & A userland hook is set to Application tried to execute
(Severity: None) Application identify applications that an application with
Abuse attempt to execute unknown reputation.
RUN_ANOTHER_APP and child
process is UNKNOWN_APP.
SCREEN_SHOT Sensor Data at Risk Win32 API SendInput() is used A screenshot is taken on the
(Severity: None) to synthesize a PrintScreen key machine.
press or Win32 API
CreateCompatibleBitmap() is
called.
SUSPECT_APP Sensor & Malware & A hash lookup or local scanner Application is suspected
(Severity: High) Analytics Application has identi ed a running malicious by AV.
Abuse executable that has reputation:
SUSPECT. App is also (not
signed)
SUSPICIOUS_DOMAIN Sensor & Network Network lter driver is set to Application is connecting to
(Severity: High) Analytics Threat identify when a suspicious network
INTERNATIONAL_SITE is an ISO domain.(based upon ISO
3166-1 Country Code (e.g. CU, 3166-1 country codes).
IR, SD, SY, IQ, LY, KP, YE, etc)
SUSPICIOUS_SITE Sensor & Network An IPv4 or IPv6 network lter Application accepts an
(Severity: Medium) Analytics Threat driver is set to identify accepted inbound network
connections from a suspicious connection from a
INTERNATIONAL_SITE (e.g. suspicious international site.
domains in RU, CN)
UNKNOWN_APP Sensor & Malware & A hash lookup has identi ed a Application is unknown
(Severity: None) Analytics Application running executable that has reputation.
Abuse reputation: not_listed (i.e.
unknown). App is also (not
signed)
MITRE Techniques Reference
MITRE Techniques are derived from MITRE ATT&CK™ (https://attack.mitre.org/), a globally-accessible
knowledge base that provides a list of common adversary tactics, techniques, and procedures.
MITRE Techniques can appear alongside Carbon Black TTPs to tag events and alerts to provide context
around attacks and behaviors leading up to attacks. See the TTP Reference for a full list and description of all
Carbon Black TTPs.
This reference lists all of the MITRE techniques currently in the Carbon Black Cloud console.
ID Name Link to Technique Details
See the supported operating systems and sensors you can use with Live Query.
See the supported operating systems and sensors you can use with Live Query.
Recommended queries
Queries recommended by Carbon Black security experts are listed by category. A description is included
along with the recommended run frequency. Click the + icon to see the full SQL.
To get started:
View the query status and results on the Query Results page.
SQL Query
If you're familiar with SQL, click the SQL Query tab to create more granular queries.
To get started:
View the query status and results on the Query Results page.
For a complete list of supported Linux distributions, see the User Exchange
(https://community.carbonblack.com/t5/CB-LiveOps-Knowledge/Getting-Started-Live-Query/ta-p/44147). The
3.4+ sensor is required for Windows, the 3.3+ sensor for macOS, and the 2.3+ sensor for Linux.
Query Results
Query results are available when devices start to respond. The wait time for results depends on the query
type and complexity, if devices are online, and the last time each sensor checked in. Queries run for up to 7
days, unless scheduled to run more frequently. Results are available for 30 days.
One-Time Queries
One-time queries display the query start-time, query name, devices responded, user who ran the query, and
query status. Click the symbol next to the query name for more details.
In the Actions column, click the dropdown arrow to Stop (if applicable), Rerun, Duplicate, or Delete a
query.
Scheduled Queries
Scheduled queries display the last run time/date, query name, policy/endpoints, frequency, and run time.
Click the symbol next to the query name for more details. In the Actions column, click the dropdown arrow
to Edit, Stop schedule, or Delete a query.
Click the caret to the left of the query name to view scheduled queries that are still running or completed.
Each query displays the query start-time, devices responded, and status. In the Actions column, click the
Stop button (if applicable) to stop a query or the X icon to delete the query.
View results
To view the results of a query, click the hyperlinked query name. Click the icon next to the query name for
more details about the query, including the targeted policies, endpoints, and the full query SQL.
You can view results from either the Results or Devices view. In each view, click the Take Action button to
Stop (if applicable), Rerun, Duplicate, or Delete a query.
In the Results view, you will see if devices have responded to your query. The Response and Device
lters are always present. Other lters are generated based on your query. Click Export to download
the data as a CSV le.
In the Devices view, you will see the status of your query on each device. The Status, Device, and
Time columns are always present. Other columns are generated based on your query.
Live Response
In the Results view, you can access Live Response to directly remediate threats by remotely accessing a
user’s machine. Click the Live Response symbol >_ to the right of each device name to get started.
If the icon is grayed out, the device is not connected to the network and cannot be accessed by Live
Response.
Policies
Overview
Policies are a group of rules that determine preventative behavior. Each endpoint sensor, or sensor group, is
assigned to a policy.
Manage Policies
About ransomware
To copy a policy
1. Select a policy.
2. Open Blocking and Isolation and click the copy icon below the rule.
3. Click All Policies to copy the rule to all policies, or click Select Policies to search for and select speci c
policies. You can select multiple policies, one at a time.
4. Click Copy. You will receive a con rmation message that the policies are updated.
Note: If the rule you are copying con icts with any rules in a destination policy, a modal will let you manage
the rule con icts. You can replace or skip a speci c rule, or you can replace or skip all con icting rules at
once by selecting the Apply selection to all con icts checkbox.
About built-in policies
Built-in Carbon Black Cloud policies are devised as templates for common use cases. You can assign sensors
to these policies, change the policy settings, or duplicate the settings to create a new policy. Built-in policies
cannot be deleted.
Standard policy
Blocks known and suspected malware and prevents risky operations like memory scraping and code
injections. Newly deployed sensors are assigned this policy by default. It is the recommended starting point
for new deployments.
Tip: Review and re ne the Standard policy rules to avoid unnecessary blocks or false positives that are
triggered by in-house or custom software applications, which may have reputations that the Carbon Black
Cloud does not recognize.
Monitored policy
Monitors endpoint application activity and logs events to the Dashboard. This policy has no preventive
capabilities.
Tip: Use the data that this policy provides to evaluate policy rule implementation needs.
Advanced policy
Extends the capabilities of the Standard policy by blocking operations from system utilizing, and preventing
riskier behaviors that are more likely to be false positives.
Tip: Use a phased roll-out approach to implement any new or Advanced policy rules. We recommend
assigning Advanced policies to a group of pilot endpoints, and watching for false positives or blocks on
legitimate software before rolling them out to more endpoints.
About ransomware
Ransomware policy rules
We recommend that rules for suspected malware, PUP, not-listed, and unknown reputations be added to
your policies for protection against ransomware.
Note: The only available action for Performs ransomware-like behavior is Terminate process. This is
because denying ransomware access to the rst le that an application tries to encrypt would not prevent it
from attempting future encryption operations.
About ransomware
The most secure ransomware policy is a default deny posture that prevents all applications except those
that are speci cally approved from performing ransomware-like behavior. This policy requires tuning to
handle false positives that are generated by applications whose legitimate activity mimics ransomware
operations. The advantage of the default deny policy is protection from ransomware behaviors that
originated from compromised applications that have a higher reputation (such as TRUSTED_WHITE_LIST),
without listing all possible applications.
You should extensively test default deny policies on a single host before you apply the policy rules to
production systems. After you have addressed false positives, perform a gradual rollout. Leave a few days
between adding each group of endpoints, to address any new false positives. If good software is being
terminated by ransomware-like behavior rules, approve the application.
Microsoft PowerShell and Python are popular targets for Windows and OSX, but any command interpreter
that can receive code as part of its command line is a potential source of malicious activity. For stronger
protection, consider including path-based rules for script interpreters.
Note: Custom policies supersede objects/hashes added to the company approved or banned lists.
General policy settings
Con gure your policy settings to take certain preventative actions. Use the local scan settings to con gure
associated local scanner settings for the selected policy.
Item Description
Allow user If selected, the Carbon Black Cloud sensor is displayed with a Protection on/o toggle, which lets the end user place the sensor
to disable in bypass mode.This option is grayed out unless you enable Show Sensor UI: Detail message.
protection
The Protection toggle only displays on single-user operating systems. The Protection toggle does not display on terminal servers.
This setting applies to version 2.x and later sensors only. The users' ability to disable protection cannot be removed from 1.0.x
sensors.
Auto-delete This option enables the Carbon Black Cloud to automatically delete known malware after a speci ed period of time. This setting
known applies to macOS sensor version 3.2.2 or later, or Windows sensor version 3.2.1 or later.
malware
after...
Create MD5 Select this option to maintain MD5 hashes in logs. This option has no e ect on the security e cacy of the Carbon Black Cloud.
hash Deselecting this option prevents the Carbon Black Cloud from logging MD5 hashes. For best performance, do not select this
option. This setting applies to version 2.0 and later sensors only. 1.0 sensors always create MD5 hashes.
Delay This option speci es whether the Carbon Black Cloud delays the invocation of an executable until reputation information can be
Execute for retrieved from the backend, if the local scan returns an inde nite result. This is a recommended setting. This setting applies to
Cloud Scan Windows version 2.0 and later sensors only.
Enable Live Select this option to enable Live Response for this policy. This setting applies to version 3.0 and later sensors only.
Response
Enable Script les that have unknown reputations are uploaded unless this option is selected. This option also removes potentially
private sensitive details from the events that are uploaded.
logging
level This includes:
Require Select this option to password-protect the action of uninstalling a sensor from an endpoint. If it is enabled, no user can uninstall
code to a sensor that belongs to this policy without providing a deregistration code. This setting applies to version 3.1 and later sensors
uninstall only.
sensor
Run If selected, the sensor will perform an initial, one-time inventory scan in the background to identify malware les that were pre-
background existing on the endpoint. Using this feature helps increase malware blocking e cacy for les that were pre-existing on the
scan endpoint before the sensor installation.
The standard background scan takes 3-5 days to complete (depending on number of les on the endpoint). It runs in
low-priority mode to consume low system resources. This is the recommended scan.
The expedited scan option takes 24 hours to complete, and is only recommended for testing and emergency incidents.
System performance is a ected. Expedited scanning only applies to Windows sensors version 3.3 and later.
The sensors invoke the background scan one time upon deployment. The current background scan state is logged to
the NT Event Log or syslog together with the "BACKGROUND_SCAN" tag.
Scan If selected, the sensor will scan les on network drives upon EXECUTE. This setting applies to version 2.0 and later sensors only.
execute on 1.0 sensors always scan network drives upon execute.
network
drives
Scan les If selected, the sensor will scan les on network drives upon READ. The default value for this setting is false. For best
on network performance, deselect this setting.
drives
Item Description
Sensor UI: Select this option to show the sensor UI on the endpoint. You can enter a message that displays on the sensor pop-up dialog.
Detail Mail-to links are supported. You can enter HTML markup as part of the text used in the sensor UI. If an HTML hyperlink is
message entered, the protocol (such as HTTP) is used in the link.
Submit Select this option to enable the upload of unknown binaries for Cloud Analysis by Carbon Black and a third-party. This setting
unknown applies to version 3.2 and later sensors only.
binaries for
analysis
Target The selected target value that is associated with this policy. Values are: Low, Medium, High, and Mission Critical.
Value
Use Select this option to set the Carbon Black Cloud as the endpoints' antivirus protection software in conjunction with Windows
Windows Security Center. This setting applies to Windows version 2.10 and later sensors only.
Security
Center
Local scan settings
Con gure local scan settings for a selected policy to enable the local scanner and control signature updates.
Title Description
Normal - Scans new les (exes, dlls, scripts) on the rst execute of that le (determined by hash).
Aggressive - Scans all les on execute. The assigned reputation and policy rules apply.
Frequency - Select how often the sensor checks in for signature pack updates using the speci ed update server.
Staggered Update Randomization Window - Set a random window for staggered updates.
Update Servers for Lets you add update servers for internal devices. You can use the default mirror infrastructure
Internal Devices (http://updates.cdc.carbonblack.io/update) or use the provided eld to enter your own mirror device URL.
Update Servers for Lets you update servers for o site devices. You can use the default mirror infrastructure
O site Devices (http://updates.cdc.carbonblack.io/update) or use the provided eld to enter your own mirror device URL.
Create prevention policy rules
Permission rules
Upload paths
Permission rules
Use permission rules to allow and log behavior, or to have the Carbon Black Cloud bypass a path entirely.
Create permissions rules to set up exclusions for other AV/security products or to remove impediments for
software developers' workstations.
1. Select a policy, then click the Prevention tab and open Permissions.
2. Click Add application path, or click the pencil icon next to an existing rule to edit it.
3. Type the application path in the text box. You can add multiple paths, delete paths or use wildcards.
When adding multiple paths, each path must start on a new line. Do not separate with commas. You
can delete a rule by clicking the trash can icon.
4. Select the desired Operation Attempt and Action attributes, click Con rm, then Save.
Tips:
You can copy a rule from one policy to another policy, or to all policies.
Operating system environmental variables can be used as part of a policy rule in a path. For example:
%WINDIR% .
1. Click a policy, then click the Prevention tab and open Blocking and Isolation.
2. Click Add application path, or click the pencil icon next to an existing rule to edit it. If you are adding
an application path, use wildcards to create exible policy rules. You can add multiple paths separated
by commas. You can delete a rule by clicking the trash can icon.
3. Select the desired Operation Attempt and Action attributes, then click Con rm. If you set the action
to Terminate process, you cannot concurrently deny the operation. Click Save.
1. On the Policies page, click the Prevention tab, and open USB Device Blocking.
2. Turn on blocking by selecting Block access to all unapproved USB devices.
3. Copy the same setting to all policies or a speci c policy by clicking Copy setting to other policies.
Note: USB device blocking is only available for Windows sensors 3.6+.
Upload paths
To deny or allow an upload path
1. Click a policy, then click the Prevention tab and open Uploads at the bottom of the page.
2. Type the application path into one of the text boxes:
No Upload to deny the sensor from sending uploads from the path
You can add multiple paths (each path must start on a new line), use wildcards, or delete paths. Do not
separate with commas.
3. Click Save.
1. On the Policies page, select the Prevention tab, then open Permissions.
2. Select the policy to update, then click Add application path.
3. Enter the AV's recommended le/folder exclusions from the security vendor.
4. Set the operation attempt Performs any operation to Bypass.
5. Click Con rm, then Save.
If you also use other security products, use the following to create exclusions for the Carbon Black Cloud
Endpoint Standard (formerly Defense) sensor:
C:\Program Files\Confer\
C:\ProgramData\CarbonBlack\
C:\Windows\System32\drivers\ctifile.sys
C:\Windows\System32\drivers\ctinet.sys
/Applications/Confer.app/
/var/opt/carbonblack/
/opt/carbonblack/
Note: Some security vendors may require a trailing asterisk (*) to signify all directory contents.
Linux prevention capabilities
The Linux 2.7.0 sensor now supports essential, malware prevention capabilities for RHEL and CentOS 6/7.
See Supported Linux Distributions (https://community.carbonblack.com/t5/Documentation-
Downloads/Carbon-Black-Cloud-sensor-Linux-sensor-support/tac-p/76214#M2251).
Only the Runs or is running operation attempt is actionable on Linux endpoints for these rules. If a policy
includes other selections which are not available for Linux, those selections will only apply to the Windows or
macOS endpoints assigned to the policy.
Known malware
When selected for the policy, the Linux sensor will apply either a Deny operation or Terminate process
policy action, as selected, when a process runs or is running with the reputation of KNOWN_MALWARE.
Hashes can be added to the company banned list manually on the Reputation page, or throughout the
console when the option is provided.
Note: Linux sensor v2.7.0 also supports adding hashes to the company approved list. This can be done
manually on the Reputation page, or throughout the console when the option is provided.
Enable background scan
Background scan is enabled per policy. The background scan runs after initial install according to policy
setting.
1. Click a policy. On the Sensor tab, select the Run background scan box.
2. Click Save.
3. The sensor will perform an initial, one-time inventory scan in the background to identify malware les
that were pre-existing on the endpoint.
Expedited scans takes 24 hours to complete and are only recommended for testing and emergency
incidents as system performance is a ected. Expedited scanning only applies to Windows sensors version
3.3+.
See a list of Windows background scan le types and MacOS background scan le types to identify which
types of les will be scanned by the sensor.
Note: The current background scan state is logged to the NT Event Log or syslog together with the
"BACKGROUND_SCAN" tag. RepMgr logs status on each start and then every 24 hours. Scan completed
status message is “BACKGROUND_SCAN: COMPLETE.”
MacOS background scan le types
The macOS sensor relies on both le magic header detection and le extensions to determine le types to
be scanned by the background scan. Magic header detection is used when a le has no extension or an
arbitrary (obfuscated) extension.
Binary les
Data les
Installer les
Script les
Binary les
Apple executables
Apple driver extensions
Apple dynamic libraries
Windows executables
Windows dynamic libraries
Data les
Adobe PDF
MS O ce
Open O ce
Installer les
Apple installers ( DMG, PKG)
by extension only: Windows MSI les, Android APK installers
Script les
java (class and jar)
Perl
Python
PHP
Ruby
Shell
Applescript
Any other script les with "#!" le header indicating interpreter association
Binary les
Calendar les
Contacts les
Corp les
Data les
Email les
Script les
User les
Binary les
dll
exe
sys
drv
scr
pif
ex_
Calendar les
ics
icbu
cal
ical
wcd
dba
Contacts les
wab
pab
mab
contact
mml
vcf
aba
na2
ldif
abbu
aby
olk
Corp les
pdf
pps
ppsm
ppsx
ppt
pptm
pptx
rtf
swf
xls
xlsx
xlsm (not yet added)
xlsb (not yet added)
dme
frm
ldf
mdb
mdf
myd
myi
ndf
opt
Data les
pdf
Email les
dbx
mbx
ost
pst
snm
toc
edb
oeb
Script les
com
hta
inf
ins
isp
jar
msi
ocx
pl
py
reg
vb
vbe
vbs
ws
wsf
wsh
ps1
ps1xml
psc1
psd1
psm1
User les
tax
iif
Enable WSC integration
Windows Security Center integration
Windows Security Center (WSC) requires Windows devices to have an antivirus provider. The Carbon Black
Cloud is a Microsoft-certi ed antivirus provider for WSC.
You can integrate the Carbon Black Cloud with WSC and designate the Carbon Black Cloud as your antivirus
provider on devices that are running Windows 7 or later operating systems. You must be using a Carbon
Black Cloud sensor version 2.1.0.11+. When enabled, the Carbon Black Cloud is listed as the antivirus
provider on the device.
When creating custom policies, you can manually enable the WSC integration if it is not pre-selected.
Note: End users can disable or enable the WSC integration on their device through Security and
Maintenance in the Control Panel.
Manage reputations
A reputation is the level of trust or distrust that is given to an application. Carbon Black reputations are
based on multiple sources of known good and known bad reputations.
Assign reputations
Reputation reference
Important: VMware Carbon Black is replacing the terms blacklist and whitelist with banned list and
approved list. Notice will be provided in advance of terminology updates to APIs, TTPs, and Reputations.
Assign reputations
Assign a reputation to an application to identify its level of trust or distrust.
1. Click Upload.
2. Expand File Format to see the .csv le format that is allowed.
3. Click Select to browse to the .csv le, then click Upload.
Note: MD5 is not supported. The hash must be in SHA-256 format and requires six or more elds. If a eld is
empty, use the following format where empty elds are denoted by commas:
The required elds must be in the following order: list type, indicator type, indicator value, description,
application name
Note: You can also ban or approve applications on the Investigate or Malware Removal pages.
Reputation reference
A reputation is the level of trust or distrust that is given to an application.
Important: VMware Carbon Black is replacing the terms blacklist and whitelist with banned list and
approved list. Notice will be provided in advance of terminology updates to APIs, TTPs, and Reputations.
Value De nition
ADAPTIVE_WHITE_LIST After analysis, the hash reputation is deemed inconclusively trustworthy. It is not fully vetted and needs additional
(Adaptive approved information to be fully deemed trusted across all organizations.
list)
COMPANY_BLACK_LIST Malicious or unwarranted behavior; the customer manually added a hash to the banned list. Speci c to a selected
(Company banned list) organization.
COMMON_WHITE_LIST After analysis, the hash reputation is deemed trusted across all organizations.
(Common approved
list)
KNOWN_MALWARE Reputation is determined from analytics and intelligence feeds; the hash is Known Malware.
(Known malware)
NOT_LISTED (Not The sensor requested reputation from the backend, but the backend does not have the hash on any internal lists.
Listed) Typically this means the hash is new. No information is available to determine the reputation from analytics and
intelligence feeds. This reputation helps protect against zero-day malware and is frequently assigned to new
hashes/updated applications.
PUP (Potentially Reputation is determined from analytics and intelligence feeds; the application or hash is a PUP such as adware or
Unwanted Program) popups.
SUSPECT_MALWARE Reputation is determined from analytics and intelligence feeds; the application or hash is Suspect Malware.
(Suspect Malware)
TRUSTED_WHITE_LIST Reputation is determined from analytics and intelligence feeds; the hash is Known Good as determined by the
(Trusted approved list) Carbon Black Cloud and/or the Carbon Black Cloud Sensor.
UNKNOWN The sensor has not yet sent the reputation request. Typically this means that the sensor cannot reach the backend.
About adding to approved list
Adding to the approved list approves the presence and actions of speci ed applications. Adding to the
approvd list is "global" in its e ects and applies to all policies attached to a particular version of an
application.
To approve the presence and actions of an application only on a speci c device, use permission rules
instead.
Tip: Routinely update your approved applications to account for new versions. Permission rules do not need
to be updated as the permission is added by path or application name.
Minimized performance impact when IT tools drop large amounts of new code that are immediately
executed.
For IT tools, no interference with new code execution. The dropped code is not blocked, even with
stricter preventative policy rules in place.
For certs, no blocking on initial execution of les signed with speci c certi cates.
Adding to the approved list is not absolute in order to prevent exploitation. Deferred analysis of new
code occurs in the background as it executes. If les are known malware, con gured policy
enforcement rules act on them after initial execution.
Tip: Use adding to the approved list for use cases such as: software deployment tools, executable installers,
IDEs, compilers, or script editors, etc.
Company Black
Company White
Known Malware
PUP Malware
Suspect Malware
Trusted White
Using wildcards
When adding the path, you can use wildcards to target certain les or directories. Be as speci c as possible
when approving certs as using wildcards can lead to incidentally approving malicious software that appears
to be signed by a trusted certi cate authority.
Wildcard Description Example
Approve certs
Adding a speci c application to your company approved list can help eliminate unwanted alerts or lower the
relative threat level for such alerts. Learn more about adding to approved list, when to use it, and how it
di ers from permission rules.
Approve IT tools
Approve IT tools to assign an initial elevated trust to code that is dropped by known IT tools.
To approve IT tools
If selected, les dropped by child processes of the IT tool that is de ned in the Path eld also receive
the initial trust. This is useful when IT tools create a child process to delegate work to, and the child
process represents a generic executable, such as a copy command.
Approve certs
Approve certs to assign an initial elevated trust to signed code by speci c trusted certi cates. To use this
functionality, a le must be signed and veri ed by a valid certi cate and the certi cate subject and authority
must be con gured in the Cert rule.
Note: Certs added to the approved list are assigned the LOCAL_WHITE reputation and are not stalled for
static analysis or cloud reputation as they are executed.
Malware removal
Use the reputation of an application to identify malware. Look for applications with the KNOWN_MALWARE,
SUSPECT_MALWARE, or PUP reputations.
All historical malware data from the past six months displays on the Malware Removal page under the
Detected or Deleted tabs. When an item is added to the company approved list, company banned list, or its
reputation is overridden, the item will be removed from the Malware Removal page.
Detected malware
Malware can exist on an endpoint even if the malware is prevented from running. This tab displays all les
scanned and classi ed as KNOWN_MALWARE. Search for speci c malware by hash or lename using the
Search box.
If you are unable to nd the hash on this page, you can delete the le by searching for the hash on the
Investigate page and clicking the Take Action button on the appropriate event.
After the policy setting is enabled, all new, executable malware is deleted at the end of the selected time
frame. Auto-delete does not delete les that are signed by Microsoft, Carbon Black les, or les that have
had their hashes changed.
Deleted malware
After malware is deleted, it is removed from the Detected tab and moved to the Deleted tab. If you attempt
to delete a le that has any reputation other than KNOWN_MALWARE, you must con rm the deletion twice.
All deleted malware les are permanent and cannot be restored.
Use the audit log to see deleted malware, malware scheduled for deletion, and admin actions. Search the
Audit Log for the hash you requested deletion of to see other events associated with the hash.
Cloud Analysis
You can help improve security e cacy by enabling additional analysis of unknown binaries by a third-party
partner. The local scanner must be turned on and you must be using sensor version 3.2 or above.
Important: If you opt in to this functionality, the binary les (including the content of the les) are uploaded
to Carbon Black for analysis. Carbon Black uses a third-party vendor, Avira Operations GmbH & Co. KG
("Avira"), as a sub-processor to assist with the threat analysis. The binary les are sent to Avira’s network.
Avira only processes the data to meet Carbon Black’s obligations under the applicable agreement and for no
other purpose. Avira has implemented appropriate security and operational methods that are designed to
secure the data, and will comply with all applicable data privacy laws when processing the data. The
information will be processed by Avira in their US or EU data centers. In the course of using the services, you
shall have sole responsibility for the accuracy, quality, integrity, legality, reliability, appropriateness, and
intellectual property ownership or right to use and transfer to Carbon Black all such data. You can view
Carbon Black’s privacy policy at https://www.carbonblack.com/privacy-policy/
(https://www.carbonblack.com/privacy-policy/) (which is modi ed by Carbon Black from time to time).
Endpoints
Overview
A Carbon Black Cloud sensor is installed on every endpoint that the Carbon Black Cloud protects. The sensor
communicates with Carbon Black analytics and the Carbon Black Cloud console.
On the Endpoints tab, view the current status of your organization's endpoint sensors.
On the Sensor Update Status tab, view the progress and results of updated sensors.
Organize your sensors into groups and view the status and details of sensors.
Access and use Live Response to perform remote investigations and remediate threats.
Sensor Management
Install Sensors
Install the Carbon Black Cloud sensor on the devices in your organization.
Update Sensors
Update sensors to their newest versions to ensure you have access to the latest features and improvements.
Uninstall Sensors
Uninstall sensors and require a code to uninstall sensors to prevent unwanted uninstalls and sensor
tampering.
If a sensor is not a member of a sensor group, and was manually assigned a policy, it is listed as Manually
assigned. If the sensor metadata does not match any group criteria, it is listed as Unassigned.
Sensor status
The Status column is used to indicate the state of a sensor's installation or activeness, as well as any admin
actions taken on the sensor. As such, this column may contain multiple icons to indicate the state of a
sensor.
Installation/Active states
Active: Sensors have checked in within the last 30 days
Deregistered: Sensors have been deregistered or uninstalled; they will persist on the Endpoints page
in this status until removed
Eligible for update: Sensors can be updated to the most current, available sensor version
Pending: Sensors have not yet been installed following an installation request email sent to a user
Quarantine: Sensors have been put into Quarantine mode and are isolated from the network to
mitigate spread of potentailly malicious activity
User column
The User column displays certain user data based on OS and sensor version:
macOS 3.3.2+ versions display last active user logged in on the device
Windows 3.5+ versions display the last active user logged in every 8 hours; if there is no interactive
user logged in within the 8 hour window, you may get a non interactive user name such as “Windows
Manager\DWM-2”
All other previous macOS and Windows versions display the user who installed the sensor
All Linux versions are intentionally left blank, as multiple, simulatenous logged-in users and desktop
users are possible
View and update signature versions
The status of each sensor signature version is displayed in the Sig column. This feature is not available for
macOS or Linux sensors.
Con gure local scan settings from the Local Scan tab on the Policies page to enable automatic updates for
sensor signature versions. Local scan settings are only supported by Windows sensor versions 2.x+.
Circle: Signature version is currently in date. Sigs display as in date if the signature version installed is
released within 7 days of the current date.
Triangle: Signature version is out of date. Sigs display as out of date if the signature version installed
has not been released within 7 days of the current date.
Square: Signature version is not yet reported or unidenti able. Sigs may display as not yet reported if
local scan is not con gured or if the sensor encountered an error after local scan was con gured, such
as a connectivity issue.
Create sensor groups
Create sensor groups to apply policy settings across several sensors at once. New endpoints in a sensor
group will automatically be protected by the policy associated with that sensor group.
New sensors are automatically assigned to a single policy based on the metadata that is associated with the
sensor and the criteria that you de ne. If a sensor does not match the criteria of an existing sensor group, it
will be automatically assigned to the Standard policy.
Sensor groups and auto-assign are only available for Windows v3.1+, macOS v3.2+, and Linux v2.5+ sensor
versions.
Note: When setting subnet criteria for sensor groups, CIDR notation is not supported.
Note: Only sensors that match all of the criteria of a sensor group are added to that group; therefore,
sensor group assignments are not permanent. If a sensor no longer meets a group's criteria, it will be moved
to another group it matches or be assigned the Standard policy. You can change the match all criteria
setting by clicking the dropdown menu for the relevant sensors and enabling an OR condition or changing
the all setting to any.
Use Live Response
Use Live Response to perform remote investigations, contain ongoing attacks, and remediate threats using a
command line interface.
Initiate a session
End a session
Note: You can also disable Live Response during a command line sensor installation by using the
DISABLE_LIVE_RESPONSE option.
1. Click Endpoints and select the sensor. You can also initiate a Live Response session on the Alerts, Alert
Triage, and Investigate pages.
2. In the Take Action column, click the >_ to start a Live Response session. On other pages, click the Take
Action button to select the start a Live Response session option.
3. Click in the command window area and type the help command to view a list of available commands
or use the Live Response commands reference. Type help commandname to get help about a speci c
command.
Note: If more than one user submits a command through the session at approximately the same time, each
command must nish executing before the next one can begin. One user can undo or otherwise modify
what another user is doing.
Green: The sensor is connected and a session is established. The host name for the endpoint displays.
Yellow: The CB backend is waiting for the sensor to check in, or no endpoint is connected because no
session is attached.
Red: A session cannot be established with the sensor because the endpoint is o ine, the sensor is
disabled, or the sensor version does not support Live Response.
Click End my session to leave your session. Other users attached to the session will remain until the
session is terminated.
Enter command detach to leave your session. Other users attached to the session will remain until
the session is terminated.
Enter command detach -q to terminate the session. Any other users attached to the session will also
be detached.
cd [dir] Change the current working directory. Options include absolute, relative, drive-speci c, and network share paths.
clear Clear the console screen; you can also use the cls command for this purpose.
delete [path] Delete the le speci ed in the path argument. The le is permanently deleted; it is not sent to the Recycle Bin.
detach Detach from the current Live Response session. If a session has no attachments, it remains live until it times out ( ve minutes
by default). The same action is performed by the End my session button.
detach -q Terminate the current Live Response session. If a session has other users attached, these users will also be detached from the
session.
drives List the drives on the remote endpoint. This is for Windows only.
exec Execute a background process speci ed in the processpath argument on the current remote endpoint. By default, process
[processpath] execution returns immediately and output is to stdout and stderr.
exec -o output le processpath: Redirect the process output to the speci ed remote le, which you can
download.
You can combine the options as shown in the following example to execute and capture the output from a script:
exec -o c:\output.txt -w
c:\scripts\some_script.cmd
You must provide the full path to the process for the processpath argument.
c:\windows\system32\notepad.exe
execfg Execute a process on the current remote endpoint and return stdout/stderr.
execfg -o: Write temporary command output to remote le. Launch a process on the remote endpoint, wait for it to
complete and return stdout/stderr. Use the -o to write stdout and stderr content to a speci c le before returning it
to the Live Response session.
get [path] Obtain the le that is speci ed in the path argument from the remote endpoint and download it to the local endpoint.
help Show the Live Response session commands with a brief description of each. If a command name is added, show the
description of the speci ed command, with additional details (such as options) if available.
memdump Take a full system memory dump and store it to the given le path, which must include a le name.
[ lepath]
Memory dumps can take several minutes, and an (*) icon in the Live Response window indicates that it is still in progress. This
is for Windows only.
Analysis information for a newly discovered process might not yet be fully committed to the Carbon Black Cloud database and
therefore not viewable.
put Put a le from the local endpoint onto the remote endpoint at the speci ed path. You specify the le in the Open dialog of the
[remotepath] browser, after the command is entered in Live Response.
reg View or modify Windows registry settings (Windows endpoints only). The syntax of this command is:
This method is useful when you have a small number of sensors to install, or when software distribution
tools are not available.
Notes:
This method is not available for Linux sensors; use command line installation instead.
With the release of the Windows 3.6 sensor, you can supply either the installation code or the
company code to install the sensor.
1. Notify end users that they will receive an installation request email from noreply@carbonblack.com.
See our sample email template below.
2. Click Sensor Options in the top right, then Send installation request.
3. Enter the end users’ email addresses, then click Send. End users must have administrative privileges on
their own endpoint to install the sensor.
4. In the email, end users will click on the appropriate OS installer link to download the sensor.
5. When prompted during installation, end users will enter the Activation Code included in the email. This
code expires in 7 days.
Note: If a user's installation code has expired, you can select the sensor from the table, click Take Action,
and then Send new installation code.
Hello,
You'll receive an email from noreply@carbonblack.com inviting you to install a Carbon Black Cloud sensor on your endpoint device. If you don’t see this
email, please check your junk folder.
Click on the appropriate installer link for your operating system to install the sensor. If you're using a Windows OS, we recommend that you select the
[32/64] bit option.
During installation, you’ll be asked to input the Activation Code included in the email. We recommend that you copy and paste this code into a plain text
editor, then copy and paste it into the installer. The code will expire in one week.
Update selected sensors in console
Update sensors on selected endpoints through the Carbon Black Cloud console.
After initiating updates to sensors, you can view the progress of the updates on the Sensor Update Status
tab on the Endpoints page.
1. Update a sensor by double-clicking the new installer package, by issuing a command on the command
line, or by pushing the command line script through a tool like SCCM. Standard command line options
are applicable. Note that the command line options from the rst install persist across upgrades. See
Update sensors on command line.
2. Reinstall sensors using either installation method:
Send an installation request email via the console
Install sensors on command line
Important: If you are upgrading to the Windows 3.6 sensor, see Con gure a rewall.
Updating sensors
You can select up to 10,000 sensors to update at one time. After you initiate sensor updates, the selected
sensors receive the message to update the next time they check in with the Carbon Black Cloud backend.
The system allows up to 200 concurrent updates. When an individual sensor completes its update process, a
new sensor is signaled to start its update.
1. On the Endpoints page, select the box next to the sensor(s) you want to update.
2. Click Take Action, then Update Sensors.
3. Con rm the number of sensors you wish to update.
4. Select the desired sensor version from the Version dropdown menu associated with the endpoints'
operating systems.
5. Select the checkbox to acknowledge that devices might be rebooted, then click Update.
View status of sensor updates
After initiating sensor updates, view the progress of your updates on this tab.
You can select up to 10,000 sensors to update at one time. After you initiate sensor updates, the selected
sensors receive the message to update the next time they check in with the Carbon Black Cloud backend.
Up to 200 sensor update entries will appear on the page. View the Audit Log for a record of all sensor
updates.
1. Update sensors on selected endpoints through the Carbon Black Cloud console. See Update sensors in
console.
2. Reinstall sensors using either installation method:
Send an installation request email via the console
Install sensors on command line
3. Update a sensor by double-clicking the new installer package, by issuing a command on the command
line, or by pushing the command line script through a tool like SCCM. Standard command line options
are applicable. Note that the command line options from the rst install persist across upgrades. See
Update sensors on command line.
The system allows up to 500 individual sensors to concurrently begin the update process. Each individual
sensor that is hinted to begin its update process is counted as part of the 500 limit. When an individual
sensor completes its update process sucessfully, or returns an error, a new sensor is hinted to start its
update process.
To stop a processing or pending update request, click the Stop icon in the Actions column.
Note: The completion of large update requests may be delayed if subsequent, smaller requests follow. Of
the 500 concurrent sensors available to update at a time, sensors from smaller requests are given priority
for update over sensors from larger, processing requests.
Note: Processing updates will automatically time out after two weeks. Time outs will occur even if the sensor
has been hinted for an update, but the sensor has not successfully completed the update. Typically, sensors
that have not updated due to a time out will show the "Sensor unresponsive" error, indicating the sensor
could not be reached for update within the two week period.
Export Results
In the Actions column, click the Export icon to download a CSV le of any "Completed" or "Stopped" update
request.
Use the CSV le to view the full results of updates, including updates with greater than 500 sensors. The le
contains useful information about your updates, including the Device IDs of all requested sensors, their
initial and updated sensor versions, and the reason for any update failure.
If an update contains failures, click the caret on the left of the row in the table to view a summary of failure
reasons. Sensors may fail due to:
Sensor unresponsive: The sensor was o ine or failed to check in with the system during the
timeframe of the update
No sensor found: The sensor could not be found. This is mostly likely due to a sensor having been
deregistered
Update stopped by user: The update request was stopped by a user in the console before the sensor
could update
Update error: The sensor failed to upgrade to the targeted version
Column Description
Completed The date and time of the nished update; an update can show in this status even if it contains both successful and failed sensor
updates.
Status The progress of a sensor update. The status of an update can be: Pending, Processing, Completed, or Stopped.
Updated The number of successfully updated sensors; this number will change as more sensors are successfully updated, until the update
has completed or been stopped.
Errors The number of sensors that have failed to update; this number will change as more sensors fail to update, until the request has
completed or been stopped.
When updates are completed or stopped, click the Export icon to download a CSV le to view the full results of the update
request.
Uninstall sensors
Uninstalled sensors will persist on the Endpoints page in the Carbon Black Cloud as a deregistered device
until manually or automatically removed. You can restrict the action of uninstalling sensors by requiring a
unique, randomly-generated code.
1. Filter the list of sensors to show only deregistered sensors, then select the sensors to delete.
2. Click Take Action, then Delete deregistered devices.
3. Automatically remove deregistered devices by clicking Sensor Options, Sensor settings, then Auto-
delete registered sensors. Set the speci ed time frame, then click Save.
Require uninstall sensor code
We recommend requiring a randomly-generated code to restrict uninstalling sensors. To prevent unwanted
uninstalls and malware from tampering with sensor connectivity, enable this setting for each policy. Note:
You must have v3.1+ sensors to enable this setting.
You can also generate a company deregistration code to uninstall any sensor in your organization.
Note: Only macOS and Windows sensors can be uninstalled with a company deregistration code. Uninstall
Linux sensors by using the command line.
Warning: The company deregistration code can be used to uninstall all sensors in your organization. If you
do not want a single code that can be used across your organization, do not generate the company
deregistration code.
Workspace ONE
Visit VMware Docs - VMware Workspace ONE UEM (https://docs.vmware.com/en/VMware-Workspace-ONE-
UEM/index.html) for comprehensive documentation about con guration and set up.
Approvals are global and blocking is enabled by policy. First approve USB devices and then block access to
all unapproved devices on the Policies page. This ensures that any device that has not been approved by you
will be blocked.
You can approve devices on the USB Devices tab as well as the Approvals tab. On the USB Devices tab, you
can approve either multiple detected devices or a single device. On the Approvals tab, you can upload a CSV
le to add multiple devices, create approvals for vendors and products, or approve a speci c device.
Vendor and product IDs are device-generated 16-bit hexadecimal numbers (e.g., 0xC123) used to identify
USB devices. You’ll need these IDs to approve vendors and products, and a serial number to create a speci c
approval.
1. Select multiple devices and click Approve to create approvals for multiple USB devices.
2. Click Approve under the Approval Status column to approve a speci c USB device.
3. Device information like Vendor ID, Product ID, and Serial Number will be pre- lled for a USB device
detected in your environment. Add Additional Details like name of approval and notes.
4. Click Save to add approval.
5. Once saved, the Approval Status will change to Approved, and you can view the approval under the
Approvals tab.
1. Click Add Approval to create an approval for a device type or or speci c device.
2. Add new Vendor and Product IDs, or select from IDs detected in your environment. Add Additional
Details like name of approval and notes.
3. To create a speci c approval, also include the Serial Number.
4. Click Save to add approval.
Once you approve the USB devices, enable blocking of unapproved devices on the Policies page. All devices
are allowed until blocking is enabled.
1. On the Policies page, click the Prevention tab, and open USB Device Blocking.
2. Turn on blocking by selecting Block access to all unapproved USB devices.
3. To apply the same setting to all policies or a speci c set of policies, click Copy setting to other policies.
1. On the Alerts page, lter results by selecting USB Device Control in the Type lter.
2. Double-click an alert or click the > to the right of the Actions column to view the expanded right-side
panel. In this panel, view device details like vendor ID, product ID, and serial number.
3. Click Approve and approve a blocked USB device, or go to the USB Devices Inventory page to view all
devices detected in your environment.
General Settings
De ne the boundaries of your organization’s premises to determine which endpoints are on- or o -premises
at the time of an event. Set the required registry key for compatibility with a Windows update.
De ne premises
The device has a relevant Fully Quali ed Domain Name (FQDN) registered on the network adapter.
A home network or remote network device has a matching FQDN or IP address in Reachable Hosts.
This means the device is considered on-premises when it is actually o -premises.
To de ne premises
Note: A device can only be de ned as as o -premises by excluding it from the DNS Su x or Reachable Host
lists.
Set registry key for Windows updates
Carbon Black o ers a way to set the required registry key for compatibility with a Windows update. See
Windows KB 4072699 (https://support.microsoft.com/en-us/help/4072699/windows-security-updates-and-
antivirus-software).
Key="HKEY_LOCAL_MACHINE"Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat"
Value Name="cadca5fe-87d3-4b96-b7fb-a231484277cc"
Type="REG_DWORD"
Data="0x00000000"
Note: Any user who has administrator rights on the endpoint can manually delete the registry key. Microsoft
recommends that the key not be changed or deleted after it is created.
Manage Users
Overview
Users added from this page will be given access to the Carbon Black Cloud console.
Every console user is assigned to a role. Roles contain varying sets of permissions which dictate the views
and actions available to a user.
Explore pre-de ned roles or create a custom role on the Roles page.
Manage Users
1. In the Actions column, click Edit in the row of the user you want to modify.
2. Make edits as necessary, then click Save.
Delete a user
1. In the Actions column, click the X icon in the row of the user you want to delete.
2. In the con rmation modal, click Delete.
You can also create a to create new roles with speci c permission levels. Reference the user role permission
descriptions for additional detail when creating custom roles.
Note: Legacy user roles are still available for selection, but will be phased out over time.
About built-in user roles
The Carbon Black Cloud console comes with six pre-de ned, built-in roles to assign to your users.
Note: Legacy user roles are still available for selection, but will be phased out over time.
View All
Users can view pages, export data, and add notes and tags. Suited for new users or users in an oversight
capacity.
Permissions include:
Analyst 1
Users monitor, investigate, and respond to potential threats. Users can also triage alerts and place devices in
or out of quarantine.
Permissions include:
Analyst 2
Users monitor, investigate, and respond to potential threats. Users can also e ect change on endpoints via
Live Response, le deletion, and quarantine.
Analyst 3
Users monitor, investigate, and respond to potential threats. Users can also use Live Response and manage
application reputations and certs.
Approve/Ban applications
System Admin
Users are responsible for daily admin activities including adding users, managing sensors, and enabling
bypass. Users in this role cannot access Live Reponse, or make global changes, such as modifying policies,
API keys, and reputations.
Super Admin
Users have all permissions, including console setup and con guration. Super Admins are the only users who
can manage policies, API keys, and sensor group rules.
Note: Roles with Live Response permissions do not automatically have the permissions to view or create
Live Response API keys. These permissions are separate and can be added when creating a custom role.
Legacy User Roles
Legacy user roles are still available for selection, but will be phased out over time.
View only: View alerts; cannot take action on alerts. Some components are hidden from view-only
users.
Administrator: Full administrative rights; can view and take action on alerts.
Live Response Administrator: Full administrator rights; can view and take action on alerts, and use
Live Response to remediate issues on endpoints. (Only Live Response Administrators can add new
Live Response Administrators.)
Enable two-factor authentication
We recommend that you enable DUO or Google two-factor authentication (2FA) to add an extra layer of
security to your organization.
As a best practice, open a second tab after logging into the console to make changes to 2FA settings.
Note: You must have at least two users registered in the Carbon Black Cloud console to enable 2FA.
mail: Email
SAML_SUBJECT: SAML_SUBJECT
a. For the mail eld, click Advanced, enter the following elds, then click Save: NameFormat:
urn:oasis:names:to:SAML:2.0:attrname-format:basic Attribute Mapping: mail = Email
b. For the SAML subject eld, click Advanced, enter the following elds, then click Save:
NameFormat: urn:oasis:names:to:SAML:2.0:nameid-format:transient Attribute Mapping:
SAML_SUBJECT = SAML_SUBJECT
d. In the Review Setup section, copy the SAML signing certi cate and paste it into the Carbon
Black Cloud SAML Con g page. Copy the SSO URL and paste it into the Carbon Black Cloud SAML
Con g page. If your PingOne account email does not match your Carbon Black Cloud user email,
con gure your PingOne email login account on the Users tab.
6. On the Carbon Black Cloud SAML Con g page, click Save, then open a new browser tab or window and
verify SAML Authentication.
Every Carbon Black Cloud console user is assigned to a role. Roles contain varying sets of permissions which
dictate the views and actions available to a user. Assign roles to your console users from the Users page.
The console comes with six pre-de ned, built-in roles to choose from. Click the caret next to a role name in
the table to view the permissions associated with each role.
Manage Roles
Tip: Click the Duplicate icon next to role in the table to make a copy of that role. Use copied roles to easily
make minor adjustments to existing roles.
Modify a role
1. In the Actions column, click the Pencil icon in the row of the role you want to modify.
2. Make edits as necessary, then click Save.
Delete a role
Built-in user roles and custom roles actively assigned to users cannot be deleted. To delete a custom role,
you must rst reassign users connected to that role to a new role.
1. In the Actions column, click the X icon in the row of the role you want to delete.
2. In the con rmation modal, click Delete.
Export/Download roles
In the Actions column, click the Export icon to download a JSON le of a custom role. Use downloaded les
to archive or audit changes made to custom roles.
Permissions Matrix
Alerts View Analyst Analyst Analyst System Super
All 1 2 3 Admin Admin
Dismiss Alerts X X X X
Manage Watchlists X X
View Watchlists X X X X X X
Manage Enforcement X
Bypass X X
Background Scan X X X X
Manage Devices X X
Quarantine X X X X
Conduct Investigations X X X X X X
Manage Roles X
Manage Users X X X X X
View Users X X X X X X
Manage Policies X
View Policies X X X X X X
Delete Files X X X
View Reputations X X X X X X
Manage Workloads X X
View Workloads X X X X X X
Roles Permission Descriptions
Alerts Description
Manage Alerts, Notes, and Add, edit, and delete alerts, notes, and tags.
Tags
View Alerts, Notes, and Tags View and search alerts, notes, and tags.
View Noti cations Access and view content on Noti cations page.
View API Keys Access and view content on API Access page.
Appliances Description
Register workload appliances Register the Carbon Black Cloud (CBC) workload appliance and send the workload inventory data on the
and send workload assets to Workloads > VMs without Sensors page. You must have appliance credentials to register the appliance with
CBC CBC.
View Appliance Details After registration of the Carbon Black Cloud workload appliance, view the appliance details on the API Access >
API Keys page.
Manage Third Party Enable or disable reports and IOCs from watchlists curated by Carbon Black and third parties.
Watchlists
Manage Watchlists Add, edit, and delete custom watchlists, related reports, and IOCs. Subscribe and unsubscribe from watchlists
curated by Carbon Black and third parties.
View Third Party Watchlists View all watchlists; custom and curated by Carbon Black and third parties.
View Watchlists View the Watchlists page and all available watchlists.
Manage Enforcement Turn on/o blocking on the Policies page. “Manage Policies” is required to change policy settings.
Manage External Devices Review external devices, create approvals for speci c or multiple USB devices, and manage approvals.
View External Devices View USB Devices page and all the detected external devices.
Deregister and Delete Manage deregistration and uninstall settings for sensors.
Sensors
Get and Delete a Hash from Upload and delete a hash from devices.
Speci ed Devices
Manage Devices Add and delete device owners; send activation codes; update sensors and signature versions.
Alerts Description
View Device Info and Sensor View device and sensor group information.
Groups
Investigate Description
Export Event Data Export event data from Investigate page to a CSV.
Use Live Query Use all Live Query capabilities. Create, execute, and view query results.
Use Live Response Use all Live Response capabilities. Initiate sessions and perform actions on enabled endpoints. Requires the
"View Live Response" permission.
View Live Response Access and view content on the Live Response page. Requires the "Use Live Response" permission.
Con gure 2FA and SAML Add, edit, and delete two-factor authentication and SAML settings.
Manage Org Information and Create organization settings; set registry key and reset company registration codes.
Codes
Manage Users Add, edit, and delete console users; assign roles to users.
View and Export Audit Logs View and search audit logs; export audit log data to CSV.
View 2FA and SAML View two-factor authentication and SAML settings.
View Org Information and View organization settings, registry key, and company registration codes.
Codes
Manage Reputations and Add, edit, and delete reputations; con gure auto banned list settings.
Auto-Banned List
Alerts Description
View Reputations View and search reputations; view auto banned list settings.
View and Export Vulnerability View and export vulnerability data to a CSV.
Data
Request Updated Refresh the Vulnerabilities page to get the latest data.
Vulnerability Data
View Workloads Access and view workload inventory data on the Workloads > VMs without Sensors page.
Manage noti cations
Noti cations are generated based on the detection of an alert or policy action. You can con gure
noti cations to get emails sent to individuals or to connected systems via API keys.
Add: click Add Noti cation, select noti cation type, then click Add.
Tip: Select the box next to Send only 1 email noti cation for each threat type per day to reduce the
number of emails that you receive.
Alert includes speci c TTPs: Noti es you if an alert exhibits speci c TTPs. You can search and select
multiple TTPs.
Policy action is enforced: Noti es you if a policy action is enforced. These noti cations can be
con gured based on the action taken by the policy and will notify you when an application, process, or
network connection has been terminated or denied based on policy rules.
Note: If you have set up both a TTP-based noti cation and a threat score-based noti cation, you may
receive two emails for the same alert. Email addresses must be associated with registered Carbon Black
Cloud console users.
API Access
Carbon Black’s Open API platform enables you to integrate with a variety of security products, including
SIEMs, ticket tracking systems, and your own custom scripts.
Use pre-built API keys to integrate with SIEMs through Syslog, directly with Splunk via a Splunk add-on, or
integrate with IBM QRadar through a QRadar app.
SIEM API Keys can only receive noti cations through the noti cations API. Use a SIEM API Key to
con gure the Splunk add-on, QRadar app, or the Syslog API Key.
API Keys can call any API except for the noti cations and Live Response API. Live Response API Keys
can call any API except for the noti cations API.
API Keys inherit the permissions that are available to the user. Treat the API ID and API secret keys on
the API Access page the same as your Carbon Black Cloud console login password.
Edit: Click the Edit button next to the API Key, make the appropriate changes, then click Save. The
access level of an API KEY cannot be changed; a new API Key must be created.
Delete: Click the dropdown arrow in the Actions column, then click Delete.
Select a timeframe from the dropdown to see all noti cations sent to the API Key within that window.
1. Note the API ID of the API Key you would like to delete.
2. Click Settings in the left-side navigation, then click Noti cations.
3. Find the API ID in the Subscribers column. Delete all associated noti cation rules. This should enable
you to successfully delete the API Key on the API Access page.
API Credentials
View the API ID and the API Secret Key of the API Key.
If credentials are compromised for an API Key, regenerate the API Secret Key.
1. Click Generate new API secret key in the API Credentials modal.
2. When prompted to con rm generation for the new key, click the Generate arrow icon.
3. The API Secret Key must be re-entered in the integration to take e ect.
Access Levels
Access levels o er the ability to create custom levels of access for your integrations with other security
products. Create custom access levels with speci c, granular permissions to apply to an API key.
Note: Selecting a user role for an API key should only be used for testing purposes. User roles may contain
unversioned APIs. To see all currently supported and versioned APIs, visit the Carbon Black Developer
Network (https://developer.carbonblack.com/reference/cb-defense/).
Download pre-built API Keys
Pre-built API Keys are available for download. Sample API scripts are available to help you create your own
integrations.
The CB Defense add-on for Splunk pulls noti cations from the Carbon Black Cloud into your Splunk
SIEM. https://splunkbase.splunk.com/app/3545/#/details
(https://splunkbase.splunk.com/app/3545/#/details).
The CB Defense App for Splunk provides two-way integration between Carbon Black Cloud and
Splunk, including interactive dashboards and API connectivity. See
https://splunkbase.splunk.com/app/3905/#/details
(https://splunkbase.splunk.com/app/3905/#/details). The CB Defense Add-On is required before
installing the CB Defense App.
QRadar integration
Carbon Black provides a pre-built Syslog integration to push CB Defense noti cations into other SIEMs
that accept CEF or JSON style syslog input. See https://developer.carbonblack.com/reference/cb-
defense/connectors/#cb-defense-syslog-connector (https://developer.carbonblack.com/reference/cb-
defense/connectors/#cb-defense-syslog-connector).
The cbapi Python module provides an easy-to-use Python interface to Carbon Black Cloud APIs. The
cbapi module is documented at https://cbapi.readthedocs.io (https://cbapi.readthedocs.io) and source
code, including example scripts, are available at https://github.com/carbonblack/cbapi-python
(https://github.com/carbonblack/cbapi-python).
To ask questions or interact with others who are using the APIs, visit the Developer Relations space on
the User eXchange at https://community.carbonblack.com/community/resources/developer-relations
(https://community.carbonblack.com/community/resources/developer-relations).
Inbox
View the status of sensor-related actions taken on your endpoints and hashes and access uploaded les.
When a request to upload a le from an endpoint to the console has been completed, the le will be
available for download from this page.
Subtypes
Items in your inbox are categorized by the type of request that is sent to the sensor.
Bypass: Request to enable "bypass" mode; all policy enforcement on the endpoint is disabled
Quarantine: Request to enable "quarantine" mode; isolate an endpoint from the network to mitigate
spread of malicious activity
Delete Hash: Request to delete an application/ le by hash
Upload Hash: Request to upload an application/ le by hash to the console
Kill Switch: Request to terminate a live response session
Background Scan: Request to initiate a background scan
Note: Bypass and Quarantine subtype requests will show either On or O in the Action column to indicate
whether the mode is being enabled or disabled on the endpoint.
Status
The Status of a Subtype request indicates the last known status of the request received from the sensor.
Triggered: The request is submitted through the console, but not yet received by the sensor
Sent to sensor: The request has been received by the sensor; typically occurs once the sensor has
checked into the cloud
Success: The request has been completed by the sensor; requested les are available for download
Error: The request has failed
This option is available in certain locations across the console by clicking the Take Action button on an
application and selecting Request Upload. The request will populate on the Inbox page.
When the le is available for download, click the Download icon next to the le name. Uploaded les expire
after two weeks. Attempting to download an expired le will result in a timeout error.
Note: Not all les are compatible with upload requests. See the list of upload le restrictions.
Manual upload le restrictions
The following le restrictions apply to manual le uploads.
Windows
Windows does not restrict uploading of script les when Private Logging Level is enabled in the policy.
Windows les that have the following le extensions can be uploaded for analysis:
.exe
.dll
.sys
.ocx
.drv
.scr
.pif
.ex_
.msi
.vb
.vbs
.jar
macOS
MacOS scripts are not uploaded if Private Logging Level is enabled in the policy. If Allow Executable
Uploads for Scans is not selected, all script uploads are disabled regardless of type.
To increase or decrease the level of granularity of log entries, choose from the three available log views.
Flagged: View entries agged as important, such as failed login attempts and locked accounts.
Standard: View all actions performed by console users, including actions taken on policies, sensor
groups, alerts, etc. Includes all entries shown in the Flagged view.
Verbose: View all audit log entries in the given time frame, including all page loads. Includes all entries
shown in the Flagged and Standard views.
To expand the scope of your search, choose an option from the time frame dropdown to view entries
speci cally during that period.
Select Custom to create your own time frame
Select All available to display data from the last 13 months, if available