VMware Carbon Black Cloud on AWS GovCloud (US) | 6 December 2023 |
VMware Carbon Black Cloud on AWS GovCloud (US) | 6 December 2023 |
Carbon Black is excited to announce some significant enhancements to our Alerts experience in the VMware Carbon Black Cloud console.
These enhancements improve alert triage in the VMware Carbon Black Cloud and allow for easier management, consumption, and triage of alerts. For more information, please see the Alerts Experience Announcement.
These enhancements include, but are not limited to:
Additional metadata to search on across all alerts
Introduction of new alert metadata such as process command line and username, parent and child process information, netconn data, additional device fields, MITRE categorization where available, and more.
Additional alert columns for the primary alerts table. |
Additional ways to filter alerts. |
---|---|
New full screen alert details view
Users can now view the updated alerts screen with a full alert details view.
New customizable alert filters and table columns
Users can now view new alert filers and table columns.
Additional alert columns for the primary alerts table.
Ability to mark alerts as “In Progress” and track the alert status workflow
Introducing an in-product alert workflow management, allowing you to mark alerts as “In Progress” and help you better manage alert triage across your SOC team. The Workflow column displays the status of the alert, where users can change the workflow of an alert to Open, Closed, or In Progress.
For further information about editing the alert workflow, see the following section of the User Guide: Editing the Alert Workflow (vmware.com).
Users can view all previous changes to the workflow status of the alert in the Alert ID History card. The enhanced Alert History visibility shows a history of all alert workflow state transitions (ie. Open -> In Progress), comments, determination, closure information, and other items.
For further information about the enhanced alert details, see the following section of the User Guide: View Alert Details (vmware.com)
Alert Determination feature
Users can now mark an alert as a True Positive or a False Positive alert. Providing feedback about alerts also enhances the accuracy of the classification system over time for some Watchlists.
For further information, see the following section of the VMware Carbon Black Cloud User Guide: Add Determination for Alerts (vmware.com).
Enhanced Group By: Threat ID view
Users now have easier management and consumption of grouped alerts in an improved group by ThreatID view.
For further information, see the following section of the VMware Carbon Black Cloud User Guide: Group By: Threat ID (vmware.com).
Better note management
Users now have the ability to add notes to both individual alerts as well as alerts grouped by ThreatID. Users can add notes to the Alert ID History and Threat ID History panes.
For further information, see the following section of the VMware Carbon Black Cloud User Guide: Add Notes (vmware.com).
Live Response is now available on VMware Carbon Black Cloud on AWS GovCloud (US)
You can now use Live Response to perform remote investigations, contain ongoing attacks, and remediate threats using a command line interface. To use Live Response, users must be assigned a role with Live Response permissions in the Carbon Black Cloud. Live Response is available on endpoints running a version 3.0 or later sensor and which have been assigned a policy with Live Response enabled.
When you activate Live Response, you create and attach to a session. Up to 100 sessions can be running simultaneously, and multiple users can be attached to the same session. Each session is limited to 250 commands. Live Response can be used on devices in bypass mode or quarantine.
For more information see the following topics in the user guide:
Build 1.16
This release includes an upgrade to the Sensor Upgrade pages. The new Sensor Update Status tab addresses customer feedback to allow increased visibility and control of the sensor update progress. The new Sensor Update Status tab improves mass sensor management and provides more flexibility for larger enterprise environments.
Sensor Upgrade Pages Improvements
Updated User Interface for the Sensor Update Status tab on any Inventory page in the Carbon Black Cloud console.
When a user requests to stop a sensor upgrade, it transitions to a "Stopping" state. There can be several minutes delay between the user’s stop request and the resulting changes being processed in the backend, this new status exposes that the request is received and is being processed.
When a user requests to create a new sensor upgrade, it transitions to an "Initializing" state. Larger jobs take significantly longer to initialize than smaller jobs, up to a few minutes, and can display in a confusing state in the console. This new “Initializing” state exposes that work is still being done to prepare the upgrades.