The Analyst role allows access to features for monitoring and investigation of suspicious or malicious activity on endpoints. You might allow some Analysts to take certain actions to remediate threats or vulnerabilities. Carbon Black EDR provides an interface for adding special permissions to Analysts on a per-user basis.

When enabled, these enhanced features allow a user to take action in sensor groups where the user is on a team with Analyst privileges:

Enhanced Permission


Ban hashes

Can ban files by hash and remove bans. These bans are applied to all sensors.

Isolate sensor

Can isolate a sensor in that group from the network and restore the sensor from isolation. See Isolating an Endpoint.

Live Response

Can connect to and act on a sensor in that group using Live Response. See Using Live Response.


Can set tamper level for sensor groups for which the user is an Analyst if the user also has the enhanced permission for tamper .

Uninstall sensors

Can use the console to uninstall a Carbon Black EDR sensor in the group. See also the Carbon Black EDR Sensor Installation Guide.

Execute Live Queries

Can run queries against endpoints. See Live Query.


You can add enhanced Analyst permissions to any user, but these permissions are unnecessary for a Carbon Black EDR Global Administrator or Carbon Black Hosted EDR Administrator. They have no affect on users who are not on a team with the Analyst role in at least one sensor group.