After sensors are installed and configured, your IT and security teams can perform basic tasks on a regular basis to ensure that there are no threats on any endpoint in your enterprise. Access to the Carbon Black EDR user interface is via browser, although you can perform some functions through an API.


Google Chrome is the only supported browser for this release. Although Firefox can be used, it causes rendering issues on some pages and is not recommended. Other browsers should not be used for console access.

The basic workflow is continuous: you search for threats, analyze them, resolve then, and using the tools of your choice, prevent them from happening again. As you search, you can tag any items that seem unusual or that merit further investigation and then drill down further to find out more details about those items.

Carbon Black EDR provides you with tools to help you detect and fix threats to your system. The following diagram shows the basic Carbon Black EDR workflow:

Workflow diagram

The following table shows how Carbon Black EDR provides solutions to problems.



What is the entry point of the threat?

Find out how the attacker got into your systems. Get oriented with visibility into everything that is running on every computer in your enterprise using the Process Search feature.

What did the attacker do?

Look deeper into suspicious processes and events to detect evidence of damage. Select processes that look suspicious and drill deeper using the Process Analysis feature.

How many machines were compromised?

Find out the scope of the damage by digging deeper into details about detected threats by using the Process Details and Binary Details pages. Set up Carbon Black Threat Intel feeds and Watchlists by defining characteristics of interesting activity that you want to be notified about and receiving notifications as you need them. Create Investigations of suspicious processes to keep track of key events during a given response.

How do we respond to threats?

Find out how bad the threat is, and then determine how to respond to it by seeing its full evolution, containing the threat, and then controlling it.

How do we stop the threat from happening again?

Use the Go Live feature to directly access content on endpoints that are running sensors. Set up Watchlists and Carbon Black Threat Intel feeds that identify specific issues, and use the feeds and watchlists to perform continuous searches. This can provide immediate detection to help you stop the threat from happening again, and ensures that you know of any new related activity.

How do we isolate threats?

You can isolate one or more Windows endpoints from the rest of your network and the Internet through the Carbon Black EDR console. For more information, see Isolating an Endpoint.


Access to Carbon Black EDR features is determined by the permissions that a logged-in user has. See Managing User Accounts (on premise) and Managing User Accounts (Hosted).