Installed sensors gather event data on host computers (endpoints) and securely deliver the data to the Carbon Black EDR server for storage and indexing. This enables your team to see and understand the history of an attack, even if the attacker deleted artifacts of its presence.
A sensor checks in with the Carbon Black EDR server every five minutes to report the activity that it detects. The server responds and notifies the sensor about how much data to send. To aid in detecting IOCs, the server compares the data it records from sensors with the latest data that is synchronized from the threat intelligence feed partners that you have enabled.
We recommend you employ Network Time Protocol (NTP) on the sensors and the Carbon Black EDR server. Carbon Black EDR does not have a technical requirement to maintain coordinated time between sensors and servers, but event correlation depends on a common understanding of when things occurred in time to determine if the events are strongly coincidental and therefore likely to be related.
Employing NTP ensures that the times reported by the various sensors coincide with the time as understood by the Carbon Black EDR server. In this way, queries executed on the Carbon Black EDR server can present relevant, related events in a manner that analysts can readily correlate. Additionally, it ensures remote processing systems like SIEMs can perform the same time-based event correlation. Accurate time keeping through use of NTP or NTP-like services is essential for the proper operation of Carbon Black EDR.
Each sensor belongs to a sensor group that defines the configuration and security characteristics for the sensor. For example, sensor groups define the upgrade policy and types of event information that sensors in the group collect. One sensor group can contain many sensors, but a single sensor can only belong to one sensor group. See Sensor Groups for more information.
To secure communication between sensors and the server, Carbon Black EDR uses HTTPS and TLS. You can use the default server certificate or add your own server certificates and assign different certificates to different sensor groups. See See Managing Certificates for details.
Collected Data Types
Sensors collect information about the following data types:
Currently running parent and child processes
(macOS and Linux only) Fork and posix_exec processes
Modules loaded by processes
Processes blocked as the result of a Carbon Black EDR hash ban
Binaries
File executions
File modifications
Network connections
(Windows only) Registry modifications
(Windows only) Cross-processes (an occurrence of a process that crosses the security boundary of another process)
(Windows only) Enhanced Mitigation Experience Toolkit (EMET) events and configuration
Incident-Response Features
To help you manage sensors and work with the information they capture, Carbon Black EDR provides incident-response features that provide the following capabilities:
Directly respond to a threat detected on an endpoint through a command interface
Isolate an endpoint with a suspicious process or threat
Ban process hashes to prevent known malware from running in the future
Set watchlists to monitor suspicious activity on endpoints
For information on these incident-response features, see Responding to Endpoint Incidents and Watchlists