A recommendation is a suggested configuration, a reputation override, which you select to apply to improve the healthy state of your environment. Currently, you can use the Hash and IT Tools recommendations.

Carbon Black Cloud generates recommendations based on data science about:

  • blocked events in your current organization
  • blocked events in all orgs, and
  • accepted reputation rules
Tip: You can also use the Recommmendation API to manage recommendations.

Why use recommendations?

To benefit from the detection and prevention capabilities of the Carbon Black Cloud Endpoint Standard product, and comply with security standards, you must enable high enforcement policies. Carbon Black Cloud automatically suggests such policy rules to you by generating organization-specific recommendations through data mining and applying them to your account.

Here are some of the issues that Recommendations solve in your organization:

  • Reducing the cognitive workload of tuning alert load.
  • Focusing on actionable items.
  • Adding approvals for software allowed to run in your environments
  • Reducing the tuning time for new customers to get them to a secure state faster

Recommendations are available in the Carbon Black Cloud Endpoint Standard product and assist you in tuning your console and optimizing your environment. Carbon Black Cloud prioritizes suggested recommendations based on the impact and relevance they have on your organization's environments. It allows you to review these recommended actions further before accepting and implementing them. This service reduces your cognitive load when identifying exceptions.

Where can I view recommendations?

You can view your newly generated recommendations in the Carbon Black Cloud console under the Enforce > Recommendations page of the navigation panel.

  • The New tab holds the latest recommendations for your organization. Here you decide to accept or reject a recommendation.

    You can view up to 10 personalized and prioritized recommendations per day with new recommendations being updated daily. You can use them to update your approved lists. The recommendations that are not reviewed expire in 30 days.

    The Carbon Black Cloud console represents each new recommendation in a card view with content depending on the set rule. The following are content examples for Hash and IT Tools recommendations.

    • Recommendation type.
    • The approximate number of blocked events in your organization over the past 30 days.
    • The approximate number of devices in your organization impacted by these events.
    • Links to the Investigate page, where you can see sensor events and devices related to that recommendation.
    • If you enable Carbon Black CloudEnterprise EDR, you can view binary details for the SHA-256.

    During the review process, before accepting or rejecting a recommendation, you can investigate the information related to the recommendation. This information includes the types of events affected and the devices where these alerts are found.

  • The Reviewed tab lists all recommendations that you already accepted or rejected.

    You have the option to either accept or reject the recommendation. The accepted recommendations also add the accepted suggestion to the configuration of the system, for example, add applicable reputation to the approved list in case of a Hash or IT Tool recommendation.

    To reverse an action made on any recommendation, you can visit the Reviewed tab and select the specific recommendation you want to take this action on.

Additionally, recommendations display on the Alerts > Alert Details pane, where the noise from certain reputations is optimized and tuned. Integrating the revision of recommendations daily enhances the fine tuning of the Carbon Black Cloud Endpoint Standard implementation in your environment. The implementation of recommendations fast tracks the environment security by improving the quality of detection and alerts presentation.

Any actions you perform within the Recommendations page and actions related to recommendations in the Reputation page are logged into the Audit Log page. These actions can include accepting and rejecting a recommendation, adding hashes and IT tools to the approved list, or removing them from the approved list.

For more information on reputations, see Manage Reputations.

Why is the "New" page empty?

Recommendations use specific blocked events that match to a specific condition. If there are no matching blocked events for the last 30 days for that specific condition, Carbon Black does not create hash recommendations. Your organization does not have any blocked events that match.

Data about this organization still exists due to further gathering of reputation data to prevent duplicate recommendations.