Carbon Black XDR: Optimize Your Threat Detection and Response

March 15, 2023

Carbon Black Cloud customers can now further reduce their mean time to detect and respond (MTTD/MTTR) and gain additional visibility over their networks and systems with VMware Carbon Black Extended Detection and Response (XDR). Today, we announce the general availability of VMware Carbon Black XDR, the only XDR solution that natively combines telemetry from endpoint detection and response (EDR) with network telemetry, intrusion detection system (IDS) observations, and identity intelligence. With Carbon Black XDR, customers gain these additional capabilities without the need to rip and replace existing solutions or to add physical network taps to their infrastructure.  

As the evolution of VMware Carbon Black Enterprise EDR, Carbon Black XDR strengthens lateral security and unifies security tools so customers can see more and stop more. Carbon Black XDR offers a significant improvement in telemetry visibility from a single pane of glass and natively provides network telemetry to the Security Operations Center (SOC) that they may previously have had to rely on their Network Operations Center (NOC) teams to provide. Carbon Black XDR benefits SOC team analysts by providing the visibility required to get the highest confidence level in the response actions taken across environments. Ultimately, this delivers a reduction in MTTD and MTTR, the critical metrics to measure the speed and accuracy of threat detection and response.  

How Does It Work? 

Carbon Black XDR integrates telemetry and analytics for identity intelligence, network visibility, and IDS observations, natively combined with endpoint telemetry in the Carbon Black Cloud.  

Identity intelligence, another term for authentication events, provides visibility into user-centric events that are indicative of malicious activity and correlates this user data with process and network connection visibility. Identity intelligence is a complimentary new feature in Enterprise EDR that collects various types of authentication events and reports them in the new Auth Events tab on the Investigate page. The reporting of authentication events facilitates the correlation of authentication, process, and network activity and yields more context-rich threat hunting, investigations, and incident response.  

Graphical user interface, text, application, email</p>
<p>Description automatically generated 

Figure 1: Customers can search and filter for authentication events in the Auth Events tab on the Investigate page. 

Network visibility and IDS telemetry are an add-on to Enterprise EDR. These features enable customers to visualize and analyze network data in context using the Carbon Black Cloud. As adversaries continue to evade traditional security measures, they establish many network connections. Having network visibility associated with each process and command on every endpoint becomes increasingly important to provide deeper context and understand actions. All this deploys with no changes to infrastructure and transforms a fleet of endpoints into a distributed network sensor.  

Graphical user interface, application</p>
<p>Description automatically generated 

Figure 2: Customers can see network connections using the new Observations tab under the Investigate page and can control findings seen by time using the new histogram or filters to narrow search.  

Key Capabilities   

Customers can optimize threat detection and response and reduce alert fatigue by leveraging rich telemetry and deeper integration with Carbon Black XDR.  

Gain network connection visibility with Intrusion Detection System (IDS) Observations 

Visualize and analyze network data in context using the Carbon Black Cloud. The XDR network telemetry includes continuous capture and analysis of network fingerprints, flow, transport layer security (TLS) data, and applications-protocol data.  

Leverage user-centric event visibility  

Identity intelligence provides additional context for user-centric event visibility with network telemetry that is indicative of malicious activity, such as various forms of account misuse, anomalous authentication behavior, and insider threats.  

Proactively threat hunt 

With extended detection and response capabilities, Carbon Black XDR surfaces new results by preserving and extending the endpoint and network contexts during analysis and display. Proactively threat hunt for abnormal network and identity activity using threat intelligence and customizable queries 

Reduce dwell time with MITRE ATT&CK automatic tagging  

Automatic tagging of endpoint and network related events to the MITRE ATT&CK Tactics, Techniques, and Procedures (TTP) framework exposes the root cause and reduces dwell time. Visibility into network connections and IDS observations spanning your entire organization - including hybrid work environments - alongside automated TTP tagging gives analysts the advantage when responding to the latest attacks. 

Detect and respond faster 

Detect and respond faster to modern attacks by leveraging XDR capabilities with endpoint prevention, EDR, network, vulnerability assessment, and CIS Benchmarking all delivered from the same lightweight agent and managed from the same console.  

For more information about Carbon Black XDR, check out these resources:  


Filter Tags

Carbon Black XDR Blog Announcement