Carbon Black Cloud Endpoint Standard
Version: Carbon Black Cloud Endpoint Standard
Carbon Black Cloud Endpoint Standard (formerly called CB Defense) is a Next-Generation Antivirus (NGAV),, and Endpoint Detection and Response (EDR) solution that protects against the full spectrum of modern cyber-attacks. Next-Generation Anti-Virus (NGAV) uses machine learning and behavioural models to analyze endpoint activity and uncover malicious behaviour to stop all types of attacks before they reach critical systems.
Netsurion Open XDR manages logs retrieved from Carbon Black Cloud Endpoint Standard. The alerts, reports, dashboards, and saved searches in Netsurion Open XDR are enhanced by capturing important and critical activities in Carbon Black Cloud Endpoint Standard.
The following are the key assets included with this Data Source Integration.
Alerts
| Type | Name | Description |
|---|---|---|
| Security | CB Defense – Threat detected | Generated for events which are flagged as INJECT_CODE, or a source of malicious behavior. |
| Compliance | CB Defense – Policy action enforced | Generated for the events that are flagged as POLICY_ACTION, which occurs when a user performs certain activities like create policy, delete policy, modify policy, and more. |
Reports
| Type | Name | Description |
|---|---|---|
| Security | CB Defense – Threat detection | Provides information about threats detected. This includes information like device timestamp, device name, device OS, OS version, device installed by, process command line, process name, process reputation, SHA256, MITRE TTP (if applicable). |
| Compliance | CB Defense – Policy action | Provides information about policies changed by users. This includes information like device timestamp, device policy, enrichment status, Sha256, process name, process reputation, MITRE TTP (if applicable). |
| Operational | CB Defense – Network activity | Provides information about network traffic details. This includes information like device timestamp, remote IP address, remote port number, peer geo location, process name, process reputation, MITRE TTP (if applicable). |
| Operational | CB Defense – Application access | Provides information about the applications accessed by users. This includes information like device timestamp, child process name, child process reputation, parent process name, parent process reputation, process name, process reputation, MITRE TTP (if applicable). |
| Operational | CB Defense – File and Registry access | Provides information about the file and registry changes made by users. This includes information like device timestamp, file name, file hash, file path, process name, process reputation, MITRE TTP (if applicable). |
| Operational | CB Defense – Data access | Provides information about data accessed by users. This includes information like device timestamp, device name, device OS, OS version, process name, process reputation, MITRE TTP (if applicable). |
Dashboards
| Type | Name | Description |
|---|---|---|
| Operational | CB Defense – Enriched event types | Displays all the enriched event types captured by CB Defense. |
| Operational | CB Defense – Device locations | Displays all the device locations captured by CB Defense. |
| Operational | CB Defense – Device names | Displays all the device names captured by CB Defense. |
| Operational | CB Defense – MITRE ATT&CK by event types | Displays all the MITRE ATT&CK by event types. |
| Operational | CB Defense – Top child processes | Displays all the top child processes captured by CB Defense. |
| Operational | CB Defense – Top parent processes | Displays all the top parent processes captured by CB Defense. |
Saved Searches
| Type | Name | Description |
|---|---|---|
| Security | CB Defense – Threat detection | Provides users to filter and view the logs that are specific to INJECT_CODE, foe events that are flagged as INJECT_CODE, or found to be a source of malicious behaviour. |
| Compliance | CB Defense – Policy action | Provides users to filter and view the logs that are specific to policy control activities such as create policy, remove policy, modify policy, etc. |
| Operational | CB Defense – Application access | Provides users to filter and view the logs that are specific to application access activity, such as CREATE_PROCESS or SYSTEM_API_CALL. |
| Operational | CB Defense – Data access | Provides users to filter and view the logs that are specific to DATA_ACCESS activity by a user. |
| Operational | CB Defense – File and registry access | Provides users to filter and view the logs that are specific to file creation and registry access, such as REGISTRY_ACCESS or FILE_CREATE. |
| Operational | CB Defense – Network activity | Provides users to filter and view the logs that are specific to network activity, which includes the connection details established to a remote IP. |
Documentation
The configuration details are consistent with Netsurion Open XDR 9.3 and later, and Carbon Black Cloud Endpoint Standard.
Download the Integration Guide for configuration instructions and more information.