VMware Carbon Black is well known as a pioneer and market-leader in endpoint detection and response (EDR). Carbon Black Enterprise EDR provides best-in-class visibility into process activity, and as Enterprise EDR evolves into an XDR solution, we are expanding the types of data we collect and correlate. With the release of Identity Intelligence, a complementary new feature now available in Enterprise EDR, we are improving the visibility Enterprise EDR provides into user authentication activity. This is another type of endpoint telemetry that is essential for identifying anomalies and threats.
In the initial release of Identity Intelligence, Enterprise EDR collects various types of Windows authentication events, which are reported in the new Auth Events tab on the Investigate page. The reporting of authentication events facilitates the correlation of authentication and process activity and yields more context-rich threat hunting, investigations, and incident response.
Some of the benefits Security Operations Center (SOC) Analysts gain from the addition of Identity Intelligence include:
- Increased visibility into endpoint activity
- Additional context during threat hunting and incident response
- Increased potential for correlation of authentication and process events
- Reduced Mean Time to Respond (MTTR)
- Consolidation: reduced reliance on third-party solutions for the collection of authentication events
Figure 1: Enterprise EDR customers can search and filter for Windows authentication events in the Auth Events tab on the Investigate page.
Furthermore, the addition of Identity Intelligence to Enterprise EDR provides greater insight into:
- Attackers’ authentication-based tactics, techniques, and procedures (TTPs)
- Who was logged in to an endpoint when interesting process or network activity occurred
- Who attempted but failed to login to an endpoint
- Brute-force attacks
- Attempted or successful logins outside of expected hours
- Remote authentication attempts from anomalous or suspicious sources
- Abnormal privilege escalation attempts
- Account changes
- Use of stolen credentials
- Lateral movement between endpoints
- Insider threat behavior and more
This initial Identity Intelligence release is just the beginning of our journey to increase the amount of insight Enterprise EDR provides into identities and their authentication activity. In future phases, we plan to expand the variety of Windows authentication event types Enterprise EDR collects, collect authentication events on macOS and Linux devices, support authentication event data in Watchlists to enable detections based on authentication activity, and more.
Note: Collection of Identity Intelligence events will be disabled by default. Collection can be enabled per-Policy, using the ‘Enable Auth Event Collection’ setting in the ‘Sensor’ tab of the ‘Policies’ page. Please see the User Guide for more details.
- User Exchange Announcement
- VMware Carbon Black Cloud Console Release Notes > Identity Intelligence
- VMware Carbon Black Cloud User Guide > Investigating Events > Investigate - Auth Events
- Auth Events API Documentation
- Search Fields – Investigate API Documentation