This section describes the Process Analysis page in the Carbon Black Cloud console.

At the top right of the Process Analysis page, click the orange Take Action button to quickly add a hash to the banned list, enable or disable bypass mode on device, or quarantine or unquarantine a device.

The top section of the Process Analysis page contains the following information:

  • The primary process that is being analyzed
  • The currently selected process (node)
  • Date and time
  • Process path
  • Device details, including:
    • Last logged-in user
    • OS version
    • Device name
    • IP address
    • Location
    • Applied policy

You can click the More button to view additional details about this device:

Device Details Panel

Additional details are included in this view:

  • Sensor version
  • Installed by
  • Target value
  • Device registration date
  • Device last contact date
  • Last location

You can click the Take Action button in this window to enable bypass or quarantine the device.

Visualizing Processes

A visualization of your processes, or a process tree, displays in the main section of the Process Analysis page.

Process Tree example

Each process in the attack stream is shown in the process tree as a node with the attack origin displayed on the left and each subsequent event shown from left to right as the attack progressed. Process trees that have an excessive number of parent or child processes might not display all nodes.

You can group processes by hash by clicking the Group by hash toggle. This action causes the process tree to group all processes that have an identical hash, regardless of whether there are child processes or watchlists. The target node is not grouped. Grouping by hash can reduce the number of nodes shown on the page and improve readability.

Selected Node

Click a node to view additional information and take action in the Selected Node collapsible panel.

Selected Node example

Binary Details

Select the Binary Details button in the Selected Node panel to view additional details about a binary.

Note: The Binary Details button is only available with Carbon Black Cloud Enterprise EDR.

Reputation

Reputation is a given level of trust or distrust.

  • Effective Reputation is the reputation applied by the sensor at the time the event or observation occurred, based on Carbon Black analytics, cloud intel, and other data.
  • Cloud Reputation (Initial) is the hash reputation reported by Carbon Black Cloud intel sources at the time that the event or observation was processed by the backend.
  • Cloud Reputation (Current) is a real-time check of the hash reputation that is reported by Carbon Black Cloud intel sources.
Note: Effective Reputation is only applicable to users who are running Endpoint Standard.

Process Access Control

  • Elevated: If “True,” the process is running in an elevated (administrator) context. When a process is elevated, policies that set UAC (user access controls) do not apply.
  • Integrity: High (administrator), medium (basic user), or low (restricted). Trust is enforced by preventing a process from interacting with processes that have a higher integrity level.
  • Privileges: Access tokens that encapsulate security identity (privileges) are assigned to each process. Privileges help enforce security boundaries when a process tries to execute.

Watchlist Hits

A process that displays an orange ! indicates that the process has associated watchlist hits. In this case, the Selected Node pane also displays:

  • Severity score of the latest hit
  • Name of the report in which the hit was found
  • The query on which the hit occurred
  • Time of the occurrence of the event, which was captured as a Watchlist hit

Select the query link to pivot to the Investigate page with the query pre-populated in the Search bar.