Make Way for Observations
Enriched Events are fully removed from the VMware Carbon Black Cloud UI
We launched a redesigned Investigate experience in March of 2023 - first as a preview, then as a soft opt-out, and most recently as a hard opt-out. Your uptake in response has been impressive - 95% of you now favour the new experience - and your feedback has been incredibly helpful to help us address the rough edges we missed.
We listened to your feedback - hundreds of responses - and have regularly updated the Investigate treatment of Observations in preparation for deactivating legacy Enriched Events on the Carbon Black Cloud Investigate page.
We'd like to let you know what's been done since launching the Observations experience on Investigate, and where Observations are headed in the future:
- Closely monitored the usage metrics of Observations vs Enriched Events
- Reviewed and triaged all feedback specifically logged via the Feedback forms we embedded on the Investigate page
- Two rounds of user-centered research, including many of you who provided specific feedback, to validate how the changes are impacting your workflows
Observations have been designed to provide you with additional layers of security context and a more organized approach to endpoint events. Here is what’s in store for you:
- New Timeline View (AKA Histogram) - Visualize your data differently, making threat detection easier
- Expanded Search Fields - Dive deeper with search fields like observation_description, netconn_community_id, and more.
- Observation Type Categorization - Quickly filter and identify threats with categories like “Indicators of Attack”
- Enhanced Grouping - Organize your search results with the new “Group By” features (with up-to a 10,000 result limit)
- Improved Netconn Card - Get a better grasp of network-centric Observations with an enhanced Netconn card in the details view
- MITRE ATT&CK Attributions - Stay on top of the latest threat intelligence with MITRE ATT&CK attributions
When we , customers had the ability to toggle between the Enriched Events and Observations. As of September 26th, 2023, this toggle will no longer be available. Going forward the Investigate page will default to the Observations experience.
Why the Change?
Our commitment to delivering top-notch security solutions led us to revamp our approach to Enriched Events, which relied on descriptions and TTPs – this didn’t support our future direction.
Replacing Enriched Events with Observations ensures delivery of enhancements that will strengthen and simplify your security program. By aligning events with MITRE ATT&CK, we can provide intelligence in a standardized manner to empower your security analysts. This security-centric approach will make you more efficient and effective at thwarting cyber threats.
Who’s Affected? All existing VMware Carbon Black Endpoint Standard customers.
For more information on Observations please review the additional supporting materials: