The Carbon Black Cloud analyzes unfiltered data on all endpoints to highlight events of interest based on types of behavior that are likely to be associated with malicious activity. This data includes 110+ core behaviors known to be leveraged by attackers. These events are called enriched events.
On the left navigation pane, click Investigate and click the Enriched Events tab.
ON
in the upper right of the page. You can revert to the Enriched Events page at any time by toggling
New Investigate experience to
OFF
.
Four tabs, each with a focused perspective, offer alternative ways to view information about the events in your environment.
Events
The Events tab is the default view. It shows every event stored in the Carbon Black Cloud, including all failed and successful operations performed by applications and processes on endpoints.
Click the caret to open up additional process and event type information in the right-side panel.
- Click the dropdown arrow next to the process name to take action on the process.
- Click More to view additional device details and take action on the device.
- In the right-side panel, click the expand icon in the Process section to see obfuscated script translation. For more details, see Investigating Script-Based Attacks.
Title | Description |
---|---|
Time | Date and time when the event occurred. |
Type | The type of event. Types include: childproc, filemod, netconn, crossproc, modload, scriptload, and regmod. |
Event | Details associated with the event, including the application/process path, what occurred during the event, and whether the operation was successful or not. |
Device | The registered name of the device. |
Applications
The Applications tab displays the total number of events associated with each unique hash.
Click the dropdown icon to take action on an application/process:
- Add to approved list/banned list: Add the application to the company approved list or company banned list.
- Request upload: Request an upload of the application file for your analysis. The file will be uploaded onto the Inbox page once completed.
- Find in VirusTotal: Find current information about the hash from various sources.
Title | Description |
---|---|
Hash | The SHA-256 of the application/process. Click the hyperlinked hash to search by SHA-256 hash on the Events tab. |
Application | The name and path of the application/process. Click the hyperlinked name to search by application/process name on the Events tab. |
Effective Reputation | The reputation of the application/process hash as applied by the sensor at the time the event occurred. |
Current Cloud Reputation | The real-time reputation of the application/process hash reported by the Carbon Black Cloud. |
Events | The total number of events associated with the application/process hash. Click the hyperlinked number to search by SHA-256 hash on the Events tab. |
Devices | The number of devices the hash has been detected on. |
Devices
The Devices tab displays the total number of events associated with each device in your environment.
Click the dropdown icon to take action on a specified device:
- Enable or disable bypass
- Quarantine or unquarantine a device
Title | Description |
---|---|
Device | The registered name of the device. Click the hyperlinked device name to see additional device details and to take action, including enable/disable bypass and quarantine/unquarantine the device. |
User | User context in which the process was executed. |
Policy | The policy group to which the device is registered. Click the hyperlinked policy name to view the policy on the Policies page. |
Group | The sensor group to which the device is assigned, if applicable. Sensor groups can be viewed and managed on the Inventory > Endpoints page. |
OS | The device's operating system. |
Events | The total number of events associated with the device. Click the hyperlinked number to search by device ID on the Events tab. |
Network
The Network tab displays all network related events associated with each device and application/process in your environment.
Click the caret to open up additional process and network connection information in the right-side panel.
- Click the dropdown arrow next to the process name to take action on the process.
- Click More to view additional device details and take action on the device.
Title | Description |
---|---|
Device time | The time when the network connection occurred. |
Device | The registered name of the device. Click the hyperlinked device name to see additional device details and to take action, including enable/disable bypass and quarantine/unquarantine the device. |
Process | The name and path of the application/process. Click the hyperlinked name to see a visualization of the network connection on the process tree. |
Source | The source IP address. |
Destination | The destination IP to which the connection was made. |
Location | The geographical location of the remote network connection. |
Protocol | Network protocol related to the network connection. |
Port | Destination port of the network connection initiated or received by the process. |