What's New - 16 May 2024

• New Information on Inventory page (macOS endpoints)

  The macOS sensor Inventory: Inventory -> Endpoints page is enhanced to assist Mac Admins identifying macOS deployment errors related to the Full Disk Access and Network Extension - related MDM policy. 

  Display strings for the new error states (displayed in the “LAST CHECK-IN” column) are:

  • FDA Error

  • Network Ext. Not Approved

  • Network Ext. Disabled

  This change was deployed as part of the April 2024 backend release. Please refer to the latest MDM policy recommendations included in the macOS sensor DMG/docs folder and the User Guide for more information:

  • Full Disk Access

  • Network Extension

• Alert Triage Page Updates

  To bring better consistency to the Carbon Black Cloud console, the Alert Triage page is enhanced to use more design and layout elements from the Process Analysis page of the Carbon Black Enterprise EDR product. Details include:

  • The Alert Triage side panel introduces the standardized Process, Device and Event (for example: Netconn, Filemod) cards, with all the available metadata they typically contain.

  • The side panel now dynamically orients to the selected node in the tree diagram.

  • The entire “Alert Origin, Behavior, Notes & Tags” sub-tab of the footer has been removed, and all viable sources of data and functionality migrated elsewhere on the page.

    • Alert Origin is removed, including Vector and Alert origin source, which were redundant.

    • Primary Process remains available in side panel.

    • Alert Behaviors Based on Severity graphic is removed.

    • “All behaviors” TTPs remain available in the side panel.

    • Notes & Tags have moved from the footer to the side panel.

  • Device Details & Actions have moved from the header to the side panel.

  • Current Cloud Reputation, Signature Verification, Process State, and Policy Action no longer have separate icons at the top of the panel and are shown in the Process panel instead.

• Sensor Update Status Tab Updates

  In the Sensor Update Status tab, Update error now displays when an upgrade does not complete successfully due to failure or inactivity.

  This status replaces Sensor unresponsive, which inaccurately implied all such failures were the result of the sensor being inactive.

• Coming Soon: APIs deactivated on 31 July 2024

  The following APIs will be deactivated on 31 July 2024:

  • Alerts Forwarder v1 Schema

  • Alerts v6 API

  • Devices v3 API

  • Live Response v3 API

  • Enriched Events Search API

  • Policy v3 API

  • Process Search Suggestions v1

  • GET Process Search Validation v1

  • Sensor Update Services v2 API

  Information on how to migrate to replacement APIs is available in the Developer Network API and Schema Migration guide: https://developer.carbonblack.com/reference/carbon-black-cloud/api-migration/.

Resolved Issues - 16 May 2024

• DSER-31717: Support and Technical Support Role can no longer Initiate & Stop Update Sensor Requests in Customer Org

• DSER-48447: Bulk actions to put sensors into bypass mode are now captured in the audit log.

Known Issues

• Carbon Black Cloud - All
• Container Essentials
• Enterprise EDR
• Issues Specific to Carbon Black Cloud on the VMware Cloud Services Platform

Archive of 2024 Improvements and Resolved Issues

What's New - 22 April 2024

• Configure Binary Uploads per Policy

  Carbon Black is pleased to introduce the ability for Enterprise EDR and XDR customers to control the upload of new binaries to Carbon Black Cloud on a per-policy basis.

  Starting today, this feature will be enabled over the coming weeks on a rolling basis. Customers will see an in-product notification when it becomes available.

  Enterprise EDR and XDR customers will have access to the new Upload new binaries and their metadata to Carbon Black for later analysis and download setting on the Sensor tab of the Policies page. This setting applies to Windows sensor versions 3.4+.

  When this setting is enabled, executed binaries and their metadata will be uploaded to Carbon Black Cloud. The binaries’ metadata can be viewed on the Binary Details page, where the binary can also be downloaded for further analysis or added to the banned list.

What's New - 18 April 2024

• Email Notifications for Non Carbon Black Cloud Users

  Previously, email notifications could only be sent to existing Carbon Black Cloud users. This update makes it possible to notify other emails, such as distribution groups.

  From the Carbon Black Cloud console Settings → Notification, add or edit a notification.

  • Select 0 or more Carbon Black Cloud users from the dropdown or begin typing to filter the list.

  • Add 0 or more email addresses, such as a distribution group.

    Be sure to hit ENTER after each email address, or changes will not be saved.

  Each notification rule requires at least one user, email address, or legacy API key.

  

• Setting Alert Determination to True Positive

  Setting the alert’s determination to “True Positive” must now be done on an individual alert.

  The determinations of “None” and “False Positive” can still be assigned to a group of alerts.

  Important:

  This change is intended to improve the accuracy of “True Positive” determinations.

• Update to IP Address information on Triage Page

  The triage page header previously showed internal & external IP address values from the most recent device check in.  Since this page is alert-oriented, these are now sourced from the alert & represent the values at the time of the event.  External IP address will also be displayed on Device nodes in the Triage tree (typically the root node).

• New information on Alert Card Details

  This feature further enhances the explainability for the anomaly scores enriched by watchlist Alert Classification. The current version of the explanation provided by alert classification for the anomaly scores is mainly based of prevalence (frequency of occurrence) attributes. This release adds a much more enhanced version of explainability by looking across various behavioral features associated with the alerts. This enhancement helps security analysts understand why certain behaviors were flagged, enabling quicker and more accurate responses to potential threats.

• Script Telemetry Improvements

  • Carbon Black Cloud now makes a clear distinction between “path to the script interpreter that executes script content” and “path to the script file that was opened by the script interpreter”

    1. Previously in cases where a script was executed at the start of a process launch, the Endpoint Standard product would report e.g. process_name:script.ps1, such as when powershell.exe was the executable performing the script interpretation & execution of script.ps1.

    2. Now Carbon Black Cloud will report both of these data in two separate fields: the script interpreter/script host will be reported in process_name just as Enterprise EDR has always reported executables (e.g. process_name:powershell.exe) and the script file will be reported as scriptload_name (e.g. scriptload_name:script.ps1)

  • This means the Alert Triage tree will no longer populate tree nodes with the name of the script (e.g. exea12.bat) but instead just report the name of the process executing that script file.

  • Carbon Black Cloud will report and index all script files as scriptload_name, whether the scripts that are loaded by the process at process launch (e.g. passed in as a command line parameter) or are loaded by that process anytime throughout the lifetime of the process. This means the field scriptload_name now includes all telemetry that was published in the past as process_loaded_script_name

    1. Both process_loaded_script_name and process_loaded_script_hash are now deprecated and will no longer be populated in Carbon Black Cloud

    2. These process_loaded_script_* fields have been removed from documentation and inline suggestions in the Investigate page

    3. These process_loaded_script_* fields will remain populated in pre-existing search data until that data ages out of your Carbon Black Cloud tenant

    4. These process_loaded_script_* fields will completely disappear from CBC data no later than October 2024

  • The scriptload_content field continues to track the AMSI-deobfuscated code that is recorded and reported by the Carbon Black Cloud Windows sensors.

  • All Events and Observations that include any script activity are now discoverable by searching or filtering on the "scriptload" or “fileless_scriptload” event types

    1. Searches and Filtering on event_type:scriptload will uncover all script activity attributable to file-backed script activity 

    2. Searches and Filtering on event_type:fileless_scriptload will uncover all script activity that cannot be attributed to file-backed scripts 

  • All events where fileless_scriptload_cmdline is populated are now discoverable by searching or filtering on the "fileless_scriptload" event type

  • The “Test Rule” feature of the Enforce > Policies page has been enhanced to support script files with the new scriptload_name support. This change will ensure that when users have included a script file with known filename extensions (e.g. .ps1, .xlsx, .py, etc) in the File Path for Permissions or Blocking and Isolation rules, the “Test Rule” feature will search for the specified script files using the scriptload_name field. Note that the Test Rule feature will only validate the specific script types supported by the CBC sensors, as specified in Figure 1 of this article.

  • Your Watchlists may need to be updated: as communicated elsewhere (via a Carbon Black Community article and in-product Notifications), you may need to update your custom Watchlists. Any custom Watchlists you may have implemented could potentially stop identifying matching processes if you were previously searching for script activity. For example, if you have a watchlist whose query currently looks for process_name:*.ps1, that watchlist will no longer generate Alerts to identify when .ps1 files are being executed. To ensure you are receiving the same quantity & quality of Alerts that you were in the past, you will need to update your watchlist IOCs to replace e.g. process_name:*.ps1 with scriptload_name:*.ps1.

  • Threat Intel Feed support: all Carbon Black Cloud-provided threat intel feeds (e.g. Advanced Threat Indicators, AMSI Threat Intelligence - documented here) have been updated to ensure any script-centric detections are now using scriptload_name appropriately. This means all CBC-provided watchlists you’ve subscribed need no action on your part to accurately detect intended script behaviors.

  • API users who have previously searched for process_name will have to update their logic to find script names using scriptload_name.

  • SIEM applications that only query for process_name to find script activity will need to be updated.

  In the near future, we intend to expose additional details reported by AMSI (app name, content name, sessions) and clarify the sequence of events when script content is reported multiple times by AMSI, so that a script whose execution is reported multiple times by AMSI are clearly associated together.

  For more guidance on how to operationalize these changes, please see this article on our Carbon Black Community:

  https://community.carbonblack.com/t5/Carbon-Black-Cloud-Discussions/Script-Search-Simplification-and-Impact-on-Watchlists-Feeds/m-p/124683

• Removing event_type from Processes search

  The event_type field will no longer be suggested, indexed or returned on /processes API and Investigate > Processes tab.

  This field has been unreliable (does not and cannot consistently return all processes where the named event type has been reported for at least one event during that process' lifetime), and has created significant confusion for customers. No longer indexing this field removes this confusion.

  This event_type field will continue to be indexed and returned on all other supported Search routes (/observations, /events APIs) and on both Investigate > Observations and on Process Analysis pages.

• Alert Forwarder de-duplication

  Starting with this release, Carbon Black Cloud Data Forwarder will only be issuing updated versions of existing CBC Alerts when the following occur:

  • User sets a Determination (e.g. False Positive, True Positive)

  • Managed Detection & Response team sets a Determination (e.g. False Positive, True Positive)

  • Carbon Black Cloud determines that the “threat cause” of a CB_ANALYTICS alert has changed

  • Carbon Black Cloud determines that the “threat score” has increased

  Starting with this release, Data Forwarder will no longer issue updated versions of a CBC Alert if the following occur, as these do not cause the Alert to carry any new or updated data values other than backend_timestamp:

  • User updates the Workflow of the Alert from Open to In Progress or Closed (reasoning: customers should be triaging and acting on Alerts either in their SIEM or in the Carbon Black Cloud, not both)

  • Managed Detection & Response team updates the Workflow value

  • User adds, updates or deletes the Notes on the Alert (reasoning: the Notes data is not stored with Alerts, but as a separate data stream; as well, updating the Threat ID Notes would cause hundreds or thousands of Alerts to be updated all at once)

• Splunk App v2.1

  The Carbon Blac Cloud Splunk App version 2.1 is now available on Splunkbase and certified for Splunk Cloud.

  • New Features

    • Asset Inventory Input

      (Includes USB Devices & Asset Groups)

    • Asset Details Dashboard

  • Bug Fixes

    • Index dropdowns will support more than 30 indexes.

    • The Input Addon was missing the App Configuration XML Dashboard.

• Vulnerability Management Updates to Backend Services

  Carbon Black’s Vulnerability Management service has been migrated onto an internally developed vulnerability data feed. This transition enables Carbon Black to deliver more rapid updates and bug fixes with a solution that is directly managed by our team. It also provides a path to create tailored risk prioritization that leverages the combined knowledge of the Symantec and Carbon Black products.

  There are a few key differences that appear in the Vulnerability Management feature as part of this transition:

  • There will be some difference in the reported CVEs. With the Carbon Black-managed solution, we will now be able to more quickly respond to any data quality concerns raised by our customers.

  • Application vulnerabilities are only reported for fully verified and qualified products. The previous Vulnerability Management solution provided CVE data for all discovered applications, but this created false positives for applications which had not been fully verified. This improvement reduces false positives and focuses application vulnerability reporting on the most commonly deployed applications, such as browsers, Microsoft applications, and more.

  • The Kenna Risk Score will be replaced with industry standard CVSS. The move to a Carbon Black-owned solution enables us to develop a more tailored risk score over time.

  We appreciate your patience with the changes in this transition, and we are excited to deliver an even better Vulnerability Management solution to you all going forward.

• DNS Protocol Parsing

  In addition to TLS and HTTP, we added DNS protocol parsing exclusively to our XDR offering.

  With this enhancement to network telemetry, DNS netconn events will be inspected and DNS message contents will be reported in the process analysis event view. In addition, this new telemetry comes with new event search fields, allowing customers to query DNS traffic by specific fields such as query name, record types, and even TTL.

  These additional search fields can be identified by the prefix netconn_dns_.

  Note:

  For more information, check out the search fields documentation here.

• New Sensor Update Failure Reason

  Sensor upgrades will fast-fail when an unsupported upgrade is requested for the upcoming Linux 2.16 sensor and a new failure reason will communicate this. A Linux sensor upgrade to 2.16+ is supported when the current sensor is running 2.15+.

• Removed the quick tour of observations banner and modal

  The "quick tour" option has been removed from the Observations page header. Help content is now available in the User Guide.

Resolved Issues - 18 April 2024

• DSER-41165: Fixed an issue where the sensor sent 0s for the local IP or remote port

  This resulted in the UI displaying unexpected characters.

• EA-24443, LC-4795: Updates to netconn_location and netconn_remote_location Fields

  Important:

  Technically, this fix is not included in 1.25; it was released async from our standard release cadence on April 4, 2024, but it is documented here since 1.25 is the closest subsequent release.

  The netconn_location field (supported in Investigate search) and netconn_remote_location field (supported in Process Analysis search) leverage a geolocation database to report the location associated with a remote IP address value. It is important to note that this geolocation database only contains public IP addresses. The reported location is in the format “City,Region/State,Country”. Originally, if the geolocation database did not contain the IP address or if the IP address is not public, the reported City, Region/State, and Country values would be blank, reported as “,,,” in the UI. In an effort to make these fields more informative and valuable, we updated them to report “,,Unknown” if the geolocation database does not contain the IP address and “,,Private” if the geolocation database does not content the IP address, but the IP address is in the range of private IP addresses, as defined by RFC 1918. However, after making this change, we realized the “Private” classification is too narrow since “Private” is a subcategory of “Reserved”, meaning IP addresses that are reserved for special purposes. Therefore, we decided to create a new “Reserved” classification, which includes IP address ranges that were formerly classified as “Private” plus additional ranges that are classified as reserved for special use, and we deprecated the “Private” classification. This fix yields the following behavior:

  • A specific “City,Region/State,Country” value is reported if the remote IP address is public and the geolocation database contains the associated location.

  • “Unknown” is reported if the geolocation database does not contain the remote IP address.

  • “Reserved” is reported if the geolocation database does not contain the remote IP address, but the IP address is within one of the following ranges that are reserved for special use:

    • IPv4: 0.0.0.0/8, 0.0.0.0/32, 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.0.0/24, 192.0.0.0/29, 192.0.0.8/32, 192.0.0.9/32, 192.0.0.10/32, 192.0.0.170/32, 192.0.0.171/32, 192.0.2.0/24, 192.31.196.0/24, 192.52.193.0/24, 192.88.99.0/24, 192.168.0.0/16, 192.175.48.0/24, 198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/4, 233.252.0.0/24, 240.0.0.0/4, 255.255.255.255/32

    • IPv6: ::1/128, ::/128, ::ffff:0:0/96, 64:ff9b::/96, 64:ff9b:1::/48, 100::/64, 2001::/23, 2001::/32, 2001:1::1/128, 2001:1::2/128, 2001:2::/48, 2001:3::/32, 2001:4:112::/48, 2001:10::/28, 2001:20::/28, 2001:30::/28, 2001:db8::/32, 2002::/16, 2620:4f:8000::/48, fc00::/7, fe80::/10

What's New - 14 March 2024

• Digital Signature Improvements

  In response to customer feedback, Carbon Black Cloud has improved the way we render the state of the digital signature associated with processes and files. We now distinguish the three ways by which Carbon Black Cloud captures digital signature telemetry, and clearly label the approaches that were used to capture this data.

  These enhancements can improve your ability to determine whether the executables and other files observed on your endpoints are legitimate or anomalous, and how you can prevent future unwanted activity. You can compare:

  1. Effective Signature: What the sensor knew about the file signature at the time of a specific read, write, or execute event.

  2. Most Prevalent Signature: What has been observed for this file across your fleet of endpoints for the past 90 days (for customers who have Enterprise EDR with Windows endpoints).

  3. First Seen Signature: What was observed the first time the file was noticed by Carbon Black Cloud on the first endpoint that reported it (for customers who have Endpoint Standard).

  Carbon Black Cloud shows the Effective Signature whenever the effective signature data is available, then prioritizes to make Most Prevalent Signature available where possible, and only shows First Seen Signature when Most Prevalent Signature is not available.

  The Signature section is clearly labeled:

  • Each displayed signature is labeled Effective Signature, Most Prevalent Signature, or First Seen Signature.

  • "Signed" is now spelled out "Signature Status" and the status value displays next to it.

  • "Publisher" value is  shown only one time.

  • "CA" is spelled out "Certificate Authority".

  • Publisher and Certificate Authority are grouped together.

  
  

  
  

  These changes ensure that you will no longer see Signature values that vary (because they used different inputs) when tracking an investigation from page to page, when comparing API responses to the console, or when comparing console and API to Data Forwarder output.

  For more information, see About Digital Signatures in the User Guide.

• Multi-Factor Authentication

  • Duo Security - Carbon Black Cloud has been updated to support the Duo SDK v4 Universal Prompt.

  • In multi-tenancy environments, to switch to a child organization that has MFA enabled, the parent organization is also required to have MFA or SAML enabled.

• Improvements to Ban/Approve

  The Ban/Approve popup window has been updated to source "This hash has been seen on X devices" data from Investigate. There are two visible changes:

  • The time window for this value is now 30 days instead of 3 months.

  • The "X devices" text is now a link that pivots to the Investigate page by hash so that users can further examine the devices where the hash was seen. 

Resolved Issues - 14 March 2024

• CBC-32547: Some Observations data that are based on fileless scriptload activity (and which include fields prefixed fileless_scriptload_*) were being labeled as event_type:scriptload

• CBCUI-4877: Command lines in the right panel were sometimes not wrapping, forcing users to find and click the popup window

• DSER-40448: Differing signature states

• DSER-45780: Endpoint Standard-only environments are experiencing inconsistencies in hash signatures

• DSER-50283: The right pane of the Alert Triage page was not wrapping correctly

• DSER-50831: Users were unable to delete assets from the Inventory pages when an asset was in "Pending install" state

What's New - 15 February 2024

• Anomaly Classification

  The Watchlist alert Anomaly Classification is now available in the Sydney region. 

  Note: This feature supports Carbon Black Advanced Threats and AMSI Threat Intelligence watchlists.

• Enhancements to Alert Email Notifications

  We are excited to announce that we have completed enhancements to alert email notifications. We have introduced additional fields such as parent and child process information, process username, MITRE ATT&CK information, and other highly requested fields.

• Kubernetes Cluster Deployment

  We are excited to announce significant updates to our Kubernetes Sensor setup, a response to valuable feedback from our customer base. To simplify the setup process, customers can now pull images from private registries to enable seamless integration with various image repositories. In this release, we've also introduced native support for Helm charts to, thereby offering users a choice between Helm and traditional kubectl for deploying their clusters. This addition provides greater flexibility and efficiency in managing Kubernetes applications. These improvements are not just limited to new installations; existing users can also benefit from these features through both manual and remote updates of the sensor. This release represents our commitment to continuous improvement and customer-centric development, ensuring our Kubernetes Sensor setup remains a simple, efficient, and versatile tool for your orchestration needs.

  
  

  Helm Integration (CNS-3159):

  
  

• Data Forwarder Versioning Improvements

  Investing further in our support for Semantic Versioning in the Data Forwarder, we are making the following change:

  • Adding and Editing forwarders via the console now allows every Forwarder type (Alerts, Endpoint Events, Watchlist Hits) to select "Schema updates" and "Schema version/constraint" options. Specifically this adds "Schema updates" support to Alert forwarder, and both "Schema updates" and "Schema version/constraint" support to Watchlist Hit forwarder

• Auto Sensor Installation

  We are excited to announce a new feature for workloads  "Auto Sensor installation". As part of this feature, whenever a workload is detected on a given vCenter and the workload is in an eligible state, the auto-sensor install will be triggered. There are no Rule definitions: every eligible workload will be automatically triggered for sensor installation. This will require a one time consent from the end user as part of system settings.

Resolved Issues - 15 February 2024

• DSER-49788: API results not displayed

  Although the API successfully fetched results for customers who have enabled APC uploads, they were not displayed in the Cloud Analysis user interface.

• DSER-47090: An alert with 4758 events prevented the generation of an alert triage tree

  This led to a visually cluttered page with numerous lines, and ultimately caused browser crashes.

• CBCUI-4724: Policy permissions file path deletes if no actions are selected

  When no actions were selected on existing policy rules, the Policy Permissions Paths were deleted.

• CNS-3353: Deleting a cluster did not delete all the images data

• CNS-1290: Increase the runtime scanning image size limit to 2GB

• DSER-51353: Fixed MDR search and facet criteria exclusion

What's New - 18 January 2024

• On the API Access Level Page, the time the API Session was last renewed is displayed making it easier to determine which API keys are in active use

  This makes it easier to determine which API keys are in active use; for example, regular polling for an integration.  An Audit Log is also written each time the API Session is renewed.

• Endpoint Standard
• Audit and Remediation
• Vulnerability Management
• Data Forwarder
• Container Essentials
• API Keys

Resolved Issues - 18 January 2024

• CNS-1241: Image scanning data is now deleted after 90 days

• DSER-49561: There is a reported anomaly on the Watchlists page in the Processes tab

  The report name is not populating correctly; it appears as "(Deleted).

  Note: This was fixed in build 1.21.

• DSER-50376: Fixed various Asset Groups operations to properly record user IP address in Audit Logs

• DSER-50824: Fixed defect preventing customers with MSM groups from deleting old policies without endpoints after upgrading to Asset Groups and re-assigning endpoints to new policies

• EA-24040: Mismatch with the CSV export data compared to the console between Nov 22 and Nov 24

  Note: This was fixed in build 1.21.