The Carbon Black Cloud analyzes unfiltered data on all endpoints to highlight events of interest based on types of behavior that are likely to be associated with malicious activity. This data includes 110+ core behaviors known to be leveraged by attackers. These events are called enriched events.

On the left navigation pane, click Investigate and click the Enriched Events tab.

Note: If you have Carbon Black Cloud Endpoint Standard or are running Carbon Black XDR, you can view the Observations page instead of Enriched Events. The Observations page is the default view. If you do not see the Observations page, toggle New Investigate experience to ON in the upper right of the page. You can revert to the Enriched Events page at any time by toggling New Investigate experience to OFF.
Tip: You can also use the Enriched Events Search API to search through all the data that is reported by your organization’s Endpoint Standard-enabled sensors to find one or more specific enriched events that match the search criteria.

Four tabs, each with a focused perspective, offer alternative ways to view information about the events in your environment.

Tip: Timestamps in the console are displayed in the user's local time zone. Hover over timestamps to view the local time relative to the UTC time zone.

Events

The Events tab is the default view. It shows every event stored in the Carbon Black Cloud, including all failed and successful operations performed by applications and processes on endpoints.

Click the caret to open up additional process and event type information in the right-side panel.

  • Click the dropdown arrow next to the process name to take action on the process.
  • Click More to view additional device details and take action on the device.
  • In the right-side panel, click the expand iconExpand in the Process section to see obfuscated script translation. For more details, see Investigating Script-Based Attacks.
Title Description
Time Date and time when the event occurred.
Type The type of event. Types include: childproc, filemod, netconn, crossproc, modload, scriptload, and regmod.
Event Details associated with the event, including the application/process path, what occurred during the event, and whether the operation was successful or not.
Device The registered name of the device.

Applications

The Applications tab displays the total number of events associated with each unique hash.

Click the dropdown icon to take action on an application/process:

  • Add to approved list/banned list: Add the application to the company approved list or company banned list.
  • Request upload: Request an upload of the application file for your analysis. The file will be uploaded onto the Inbox page once completed.
  • Find in VirusTotal: Find current information about the hash from various sources.
Title Description
Hash The SHA-256 of the application/process. Click the hyperlinked hash to search by SHA-256 hash on the Events tab.
Application The name and path of the application/process. Click the hyperlinked name to search by application/process name on the Events tab.
Effective Reputation The reputation of the application/process hash as applied by the sensor at the time the event occurred.
Current Cloud Reputation The real-time reputation of the application/process hash reported by the Carbon Black Cloud.
Events The total number of events associated with the application/process hash. Click the hyperlinked number to search by SHA-256 hash on the Events tab.
Devices The number of devices the hash has been detected on.

Devices

The Devices tab displays the total number of events associated with each device in your environment.

Click the dropdown icon to take action on a specified device:

  • Enable or disable bypass
  • Quarantine or unquarantine a device
Title Description
Device The registered name of the device. Click the hyperlinked device name to see additional device details and to take action, including enable/disable bypass and quarantine/unquarantine the device.
User User context in which the process was executed.
Policy The policy group to which the device is registered. Click the hyperlinked policy name to view the policy on the Policies page.
Group The sensor group to which the device is assigned, if applicable. Sensor groups can be viewed and managed on the Inventory > Endpoints page.
OS The device's operating system.
Events The total number of events associated with the device. Click the hyperlinked number to search by device ID on the Events tab.

Network

The Network tab displays all network related events associated with each device and application/process in your environment.

Click the caret to open up additional process and network connection information in the right-side panel.

  • Click the dropdown arrow next to the process name to take action on the process.
  • Click More to view additional device details and take action on the device.
Title Description
Device time The time when the network connection occurred.
Device The registered name of the device. Click the hyperlinked device name to see additional device details and to take action, including enable/disable bypass and quarantine/unquarantine the device.
Process The name and path of the application/process. Click the hyperlinked name to see a visualization of the network connection on the process tree.
Source The source IP address.
Destination The destination IP to which the connection was made.
Location The geographical location of the remote network connection.
Protocol Network protocol related to the network connection.
Port Destination port of the network connection initiated or received by the process.