Carbon Black Cloud Enterprise EDR features Identity Intelligence. Identity Intelligence provides visibility into authentication events that occur on Windows endpoints (supported by Windows Sensor 3.9.1+ and Windows 10.0.15063+).

Identity Intelligence improves the visibility that Carbon Black Cloud Enterprise EDR provides into user authentication activity. This type of endpoint telemetry is essential for identifying anomalies and threats.

With Identity Intelligence, Carbon Black Cloud Enterprise EDR collects various types of Windows authentication events, which are reported in the Auth Events tab on the Investigate page.

The reporting of Windows authentication events supplements the reporting of process events, which enables the correlation of authentication and process activity, and yields more context-rich threat hunting, investigations, and incident response.

Authentication event data provides insight into the following events (and more):

  • Attackers’ authentication-based tactics, techniques, and procedures (TTPs)
  • Who was logged in to an endpoint when process activity of interest occurred
  • Who attempted but failed to login to an endpoint
  • Brute-force attacks
  • Attempted logins outside of expected hours
  • Remote authentication attempts from anomalous or suspicious sources
  • Privilege escalation attempts
  • Account changes
  • Use of stolen credentials
  • Lateral movement between endpoints
  • Insider threat behavior

Some of the benefits Security Operations Center (SOC) Analysts gain from the reporting of authentication events include:

  • Increased visibility into endpoint activity
  • Additional context during threat hunting and incident response
  • Increased potential for correlation of authentication and process events
  • Reduced mean time to respond (MTTR)
  • Consolidation: reduced reliance on third-party solutions for the collection of authentication events