Carbon Black Cloud Endpoint Standard

OverviewResources

Once Cb Defense is configured to deliver events to EventTracker Manager; knowledge objects, dashboards and reports can be configured into EventTracker.

Security

Alerts

CB Defense - Threat detected: This alert is triggered when EventTracker receives CB defense events which is flagged as INJECT_CODE, or source of malicious behavior.

Reports

Cb Defense - Threat detection: This report provides information about threats detected. This includes information such as, device timestamp, device name, device OS, OS version, device installed by, process command line, process name, process reputation, SHA256, MITRE TTP (if applicable).

Operation

Reports

Cb Defense - Network activity: This report provides information about network traffic details. This includes information such as, device timestamp, remote IP address, remote port number, peer geo location, process name, process reputation, MITRE TTP (if applicable).

Compliance

Alerts

CB Defense - Policy action enforced: This alert is triggered when EventTracker receives CB Defense events which is flagged is POLICY_ACTION, which basically is, a user performs an activity such as create policy, delete policy, modify policy, etc.

Reports

Cb Defense - Application access: This report provides information about applications accessed by users. This includes information such as, device timestamp, child process name, child process reputation, parent process name, parent process reputation, process name, process reputation, MITRE TTP (if applicable).
Cb Defense - File and Registry access: This report provides information about file and registry changes done by the users. This includes information such as, device timestamp, file name, file hash, file path, process name, process reputation, MITRE TTP (if applicable).
Cb Defense - Data access: This report provides information about data accessed by users. This includes information such as, device timestamp, device name, device OS, OS version, process name, process reputation, MITRE TTP (if applicable).
Cb Defense - Policy action: This report provides information about policies changed by users. This includes information such as, device timestamp, device policy, enrichment status, Sha256, process name, process reputation, MITRE TTP (if applicable).

Scope

The configuration details in this guide are consistent with EventTracker version 9.x and later, and Carbon Black Cloud Endpoint Standard.

Documentation:

For more information please refer to the Integration guide

To configure Carbon Black Cloud Endpoint Standard to send logs to EventTracker, refer to the How-to Guide.