Enabling the Carbon Black App Control Connector adds an External Notifications page to the console.

This page is a table of notifications from network security devices and services. Each row in the table includes key information such as file hashes and source IP addresses. If the file or computer referenced in a notification is also in Carbon Black App Control endpoint data, that data can be correlated with the notification.

In addition to notifications, this page shows an error message if there is a problem receiving notifications from any of the configured connected devices or services.

Notifications from Palo Alto Networks are pre-filtered to eliminate those not likely to be of interest for security analysis purposes. If a Threat Log notification has a Severity equal to “informational”, “low”, or “medium”, by default it is not included in the notifications that are delivered to the Carbon Black App Control Server. WildFire Log notifications with a Category of “benign” are filtered out by default.

A daily check is done on the total number of notifications from all sources. If the daily check finds that this number is excessive, the oldest notifications in the logs are trimmed. The number of notifications can exceed the limit by a considerable amount before trimming is scheduled, such as when notifications are first enabled.

In addition to trimming notifications after they reach a numeric limit, the server deletes notifications past a maximum age. Initially, the numeric limit is 200,000 notifications and the age limit is six months. These may be modified in the future.

To open the External Notifications table in the console, click Reports > External Notifications on the console menu.

The External Notifications table in the console

Because of the data correlation with the Carbon Black App Control Server, external notifications can be prioritized immediately by their impact on systems running agents. When a malware notification is received from a connected network security source, you can determine the following:

  • Whether the malware is present on any of your systems.
  • Whether the malware has ever executed on any of the systems.
  • How much the malware has spread (that is, on how many computers).
  • Details on the system identified as the source for this malware, including what kind of user activity there was on the system and other system activity.
  • The External Notifications table includes several ways to drill down for additional information:
    • The View Details button opens the External Notification Details page for the notification in its row. The details page includes all of the information stored in your Carbon Black App Control database for this notification. See External Notification Details for more information. It also includes a link to open the full XML details file for the notification. See Showing XML Details for more information on this page.
    • If there is a number greater than zero in the Total Files or New and Modified Files column, clicking on the number opens the External Notification Details page.
    • If the Malware MD5, SHA-1 or SHA-256 hash is listed in the table and identifies a file inventoried by your Carbon Black App Control Server, clicking on the hash opens the File Details page for that file.
    • In any of the Cb Files columns, if the number of files shown is 1, clicking on the number opens the File Details page for that file. If the number shown is 2 or greater, clicking on the number opens the External Notification Details page with the Known Files tab showing.
    • In the Cb Computers column, if the number of computers shown is 1, clicking on the number opens the Computer Details page for that computer. If the number shown is 2 or greater, clicking on the number opens the Computers table.
    • If the Source or Destination Address column shows an address for a system that has the agent installed, clicking on the address opens the Computer Details page for that computer.
    • The History button opens the Notification Details page with the History tab showing. The History tab includes the 20 most recent actions related to this notification.

The following table shows the information available in the External Notifications table. Not all of these columns appear in the table by default.

Table 1. External Notifications Table Columns

Column

Description

Vendor

Vendor whose product sent the external notification. Currently Palo Alto Networks (other vendors might appear if you have upgraded from previous App Control versions).

Appliance

Name of the external appliance or service that provided the notification; has link to appliance or service console URL.

Product

External appliance or service product name, if provided; has link to appliance console URL.

Version

External appliance, agent, or report version; has link to appliance console URL.

Time

Date and time when the malware was detected on the network.

Severity

Severity of notification. Scale varies by vendor.

Type

Type of notification (not the name).

For Palo Alto Networks, this can be: wildfire, spyware, virus, vulnerability, wildfire-result.

Other notification types might appear if you implemented a connector for a different device or service in previous Carbon Black App Control versions.

Source IP

The IP address from which the malware originated.

Source Address

Source Address is the address from which the malware originated, from one of the following sources:

  • If the address is for a computer known to your Carbon Black App Control Server, the hostname listed for this source in the Bit9 database is used. In this case, the name is linked to the Computer Details page.
  • If the computer is unknown to your server, the server performs a reverse DNS lookup, and if the hostname can be resolved in this way, it will be used here and will persist.
  • If Bit9 cannot resolve the hostname, a URL is shown, as resolved by the provider
  • If no resolution is possible, an IP address is shown. This would be the case if malware was attempting a callback.

Source URL

URL of the computer on which the malware was originated, as resolved by the provider.

Source Username

Name of user logged into the system at the Source Address. Appears for Microsoft and Palo Alto Networks integrations if Active Directory is integrated with the appliance or service.

Destination IP

IP address to which the malware was targeted.

Destination Address

Address to which the malware was targeted, resolved as described for Source Address.

Destination Username

Name of user logged into the system at the Destination Address. Appears for Palo Alto Networks integrations if Active Directory is integrated with the appliance or service.

Malicious

Shows whether the notification identifies malicious files (Yes/No).

Malware Name

Malware name reported in notification (can be multiple, comma separated).

Malware MD5

Top-level MD5 hash reported in notification.

Malware SHA1

Top-level SHA1 hash reported in notification.

Malware File

Top-level filename reported in notification.

Application

Application reported in the notification.

Analysis Environment

Operating System environment used for file analysis. For Palo Alto Networks, may also include information about key applications in the environment, such as Office.

Registry Keys

Number of registry key modifications reported in the notification.

Directories

Number of directory modifications reported in the notification.

New and Modified Files

Number of files created or modified by this malware as reported in this notification.

Total Files

Total number of unique files in this notification.

Received Time

Date and time this notification was received by the App Control Server.

Modified Time

Date and time when this notification was last modified (that is, its status changed).

Cb Status

Status of the notification in Carbon Black App Control (Notified, Escalated, Resolved, Closed).

Cb Known Files

Number of unique files in this notification known to the App Control Server. May change based on the Correlate with Carbon Black App Control option on the External Notifications page.

Cb Executed Files

Number of files in this notification known to the Carbon Black App Control Server and executed on an endpoint. May change based on the Correlate with Carbon Black App Control option on the External Notifications page.

Cb Banned Files

Number of files in this notification known to the Carbon Black App Control Server and banned. May change based on the Correlate with Carbon Black App Control option on the External Notifications page.

Cb Computers

Number of Bit9-managed computers that have at least one file matching one of the reported MD5 hashes in this notification.

Cb Files On Computers

Total number of instances on agent-managed computers of files reported in this notification.

Cb Submitted

Indicates whether a file from this notification was submitted to an external device by this Carbon Black App Control Server for file analysis (Yes/No).