Carbon Black Cloud Endpoint Standard

Version: Carbon Black Cloud Endpoint Standard

Carbon Black Cloud Endpoint Standard (formerly called CB Defense) is a Next-Generation Antivirus (NGAV),, and Endpoint Detection and Response (EDR) solution that protects against the full spectrum of modern cyber-attacks. Next-Generation Anti-Virus (NGAV) uses machine learning and behavioural models to analyze endpoint activity and uncover malicious behaviour to stop all types of attacks before they reach critical systems.

Netsurion Open XDR manages logs retrieved from Carbon Black Cloud Endpoint Standard. The alerts, reports, dashboards, and saved searches in Netsurion Open XDR are enhanced by capturing important and critical activities in Carbon Black Cloud Endpoint Standard.

The following are the key assets included with this Data Source Integration.

Alerts

TypeNameDescription
SecurityCB Defense – Threat detectedGenerated for events which are flagged as INJECT_CODE, or a source of malicious behavior.
ComplianceCB Defense – Policy action enforcedGenerated for the events that are flagged as POLICY_ACTION, which occurs when a user performs certain activities like create policy, delete policy, modify policy, and more.

Reports

TypeNameDescription
SecurityCB Defense – Threat detectionProvides information about threats detected. This includes information like device timestamp, device name, device OS, OS version, device installed by, process command line, process name, process reputation, SHA256, MITRE TTP (if applicable).
ComplianceCB Defense – Policy actionProvides information about policies changed by users. This includes information like device timestamp, device policy, enrichment status, Sha256, process name, process reputation, MITRE TTP (if applicable).
OperationalCB Defense – Network activityProvides information about network traffic details. This includes information like device timestamp, remote IP address, remote port number, peer geo location, process name, process reputation, MITRE TTP (if applicable).
OperationalCB Defense – Application accessProvides information about the applications accessed by users. This includes information like device timestamp, child process name, child process reputation, parent process name, parent process reputation, process name, process reputation, MITRE TTP (if applicable).
OperationalCB Defense – File and Registry accessProvides information about the file and registry changes made by      users. This includes information like device timestamp, file name, file hash, file path, process name, process reputation, MITRE TTP (if applicable).
OperationalCB Defense – Data accessProvides information about data accessed by users. This includes information like device timestamp, device name, device OS, OS version, process name, process reputation, MITRE TTP (if applicable).

Dashboards

TypeNameDescription
OperationalCB Defense – Enriched event typesDisplays all the enriched event types captured by CB Defense.
OperationalCB Defense – Device locationsDisplays all the device locations captured by CB Defense.
OperationalCB Defense – Device namesDisplays all the device names captured by CB Defense.
OperationalCB Defense – MITRE ATT&CK by event typesDisplays all the MITRE ATT&CK by event types.
OperationalCB Defense – Top child processesDisplays all the top child processes captured by CB Defense.
OperationalCB Defense – Top parent processesDisplays all the top parent processes captured by CB Defense.

Saved Searches

TypeNameDescription
SecurityCB Defense – Threat detectionProvides users to filter and view the logs that are specific to INJECT_CODE, foe events that are flagged as INJECT_CODE, or found to be a source of malicious behaviour.
ComplianceCB Defense – Policy actionProvides users to filter and view the logs that are specific to policy control activities such as create policy, remove policy, modify policy, etc.
OperationalCB Defense – Application accessProvides users to filter and view the logs that are specific to application access activity, such as CREATE_PROCESS or SYSTEM_API_CALL.
OperationalCB Defense – Data accessProvides users to filter and view the logs that are specific to DATA_ACCESS activity by a user.
OperationalCB Defense – File and registry accessProvides users to filter and view the logs that are specific to file creation and registry access, such as REGISTRY_ACCESS or FILE_CREATE.
OperationalCB Defense – Network activityProvides users to filter and view the  logs that are specific to network activity, which includes the connection details established to a remote IP.

Documentation

The configuration details are consistent with Netsurion Open XDR 9.3 and later, and Carbon Black Cloud Endpoint Standard.

Download the Integration Guide for configuration instructions and more information.