This section describes how you enable and use Carbon Black App Control’s Advanced Threat Indicators, and how you can monitor threats through events, file details, and alerts.
Carbon Black App Control includes many features that help you monitor activities on your endpoints. To enhance these capabilities, Carbon Black App Control provides a set of advanced detection features, including:
- Advanced Threat Indicators (ATIs), which are rules grouped in Indicator Sets that aid in detecting particularly threatening or suspicious activity on systems reporting to your Carbon Black App Control Server
- Detection Views into your Carbon Black App Control database that highlight detection-related data provided by the ATIs and other Carbon Black App Control features
ATIs can indicate malicious activity based on an event or sequence of conditions on an endpoint. This has the potential to provide broader coverage and earlier warning than a detection system relying solely on a snapshot of a point in time. A conventional Indicator of Compromise (IOC) might report on the existence of a suspicious file or registry setting only after the fact. Because the Carbon Black App Control advanced detection feature also uses dynamic events as part of its implementation, it can provide real-time indication of suspicious activity and capture metadata for related events, such as the creation of a suspicious file.
While ATIs are strictly for reporting purposes, you can remediate a detected threat using other Carbon Black App Control capabilities, or by actions outside of the console. For example, you can create a ban for a file reported as a threat or create a custom rule that bans an action in a particular location when conducted by a certain process. The Carbon Black App Control Event Rule capability allows you to immediately ban or delete any file that appears in a threat-related event.
The summary steps for using Advanced Threat Detection are as follows:
-
Enable Indicator Sets for Detection – On the console Indicator Sets page (Rules > Indicator Sets), enable the Indicator Sets to activate. After the Indicator Sets are enabled on the server, the ATIs are committed to all the agents. Then, when the conditions specified by any of the ATIs occur, new detection events are sent to the server. See Indicator Sets for Threat Detection.
-
Monitor Threat Reports – Periodically check for suspicious or threatening events or files using the Saved Views on the Events and Files pages. See Monitoring Threat Reports.
-
Fine-tune Reporting – If you see detection-related events that you do not want reported, either deactivate the Indicator Set that detected them or create an Indicator Exception for the specific file reported in the event. See Indicator Set Exceptions. If you see detection-related events that you consider high priority, consider creating alerts for those events. See Threat-Related Alerts.
-
Remediate Threats – If you see a threat that must be remediated, consider creating a Carbon Black App Control rule (for example, a ban, custom rule, or event rule) to prevent malicious action by the threat, or take action outside of Carbon Black App Control (for example, deleting files or creating firewall rules). See Responding to Threats.
ATIs work with agents at any Enforcement Level (other than Disabled), although the conditions that lead to threat detection are generally less likely in High Enforcement.