Installed sensors gather event data on host computers (endpoints) and securely deliver the data to the Carbon Black EDR server for storage and indexing. This enables your team to see and understand the history of an attack, even if the attacker deleted artifacts of its presence.

A sensor checks in with the Carbon Black EDR server every five minutes to report the activity that it detects. The server responds and notifies the sensor about how much data to send. To aid in detecting IOCs, the server compares the data it records from sensors with the latest data that is synchronized from the threat intelligence feed partners that you have enabled.

Each sensor belongs to a sensor group that defines the configuration and security characteristics for the sensor. For example, sensor groups define the upgrade policy and types of event information that sensors in the group collect. One sensor group can contain many sensors, but a single sensor can only belong to one sensor group. See Sensor Groups for more information.

To secure communication between sensors and the server, Carbon Black EDR uses HTTPS and TLS. You can use the default server certificate or add your own server certificates and assign different certificates to different sensor groups. See See Managing Certificates for details.

Collected Data Types

Sensors collect information about the following data types:

  • Currently running parent and child processes

  • (macOS and Linux only) Fork and posix_exec processes

  • Modules loaded by processes

  • Processes blocked as the result of a Carbon Black EDR hash ban

  • Binaries

  • File executions

  • File modifications

  • Network connections

  • (Windows only) Registry modifications

  • (Windows only) Cross-processes (an occurrence of a process that crosses the security boundary of another process)

  • (Windows only) Enhanced Mitigation Experience Toolkit (EMET) events and configuration

Incident-Response Features

To help you manage sensors and work with the information they capture, Carbon Black EDR provides incident-response features that provide the following capabilities:

  • Directly respond to a threat detected on an endpoint through a command interface

  • Isolate an endpoint with a suspicious process or threat

  • Ban process hashes to prevent known malware from running in the future

  • Set watchlists to monitor suspicious activity on endpoints

For information on these incident-response features, see Responding to Endpoint Incidents and Watchlists