This section defines some key terms you will encounter when using Carbon Black EDR.




Executable file (for example, PE Windows file, ELF Linux file, or Mach-O Macintosh file) that is loaded onto a computer file in binary form for computer storage and processing purposes. Carbon Black EDR only collects binaries that execute. It does not collect scripts, batch files, or computer files that are created or modified.

  • Carbon Black EDR collects the script or batch file names from command prompts and command lines.
  • Carbon Black EDR collects file names and paths as they are created or modified.

Carbon Black EDR Sensor

Lightweight data gatherers installed on hosts on the deployed network. They gather event data on the hosts and securely deliver it to the Carbon Black EDR server for storage and indexing.

Carbon Black EDR Server

A CentOS server that exists on the deployed network. It receives data from sensors, stores and indexes that data, and provides access to the data through the Carbon Black EDR console.

Carbon Black Threat Intel Feeds

Pre-configured threat intelligence feeds. These feeds contain threat intelligence data. These feeds come from various sources:

  • Carbon Black
  • Our MSSP/IR partners
  • Our customers
  • Open-source

Carbon Black Threat Intel feeds provide a list of Indicators of Compromise (IOCs) and contextual information based on binary/process attributes and events (MD5, SHA-256, IP, domain). These attributes and events are scored and rated, and then correlated with any matching files in your environment. For more information, see Threat Intelligence Feeds.

Carbon Black Threat Intel Server

A server that is managed by Carbon Black and augments the functionality of the Carbon Black EDR server.

Data File

A computer file that is a resource for storing information that requires a computer program (executable or binary file) to run. Data files are not captured by the Carbon Black EDR sensor.

Indicators of Compromise (IOCs)

Carbon Black EDR sensors constantly monitor your computers for IOCs and send alerts to the Carbon Black EDR console when detected.

Queries are dynamic indicators that look at behaviors that are continuously recorded by sensors on endpoints and centrally recorded for analysis.

Hashes (MD5, SHA-256), IP addresses, and domain names are static indicators that are similar to signatures. They are used to identify suspected malicious activity.


Unique cryptographic hash identifier for a binary instance in Carbon Black EDR.


An instance of the execution of a binary file.


Fully customizable searches that contain lists you can use to track specific IOCs. Watchlists are saved searches that are visible to all users. They can be used for searching either processes or binary executable files.