Following the release of Carbon Black XDR, customers using other Carbon Black Cloud modules will experience changes in the console that will help accelerate their workflows with additional context.
What’s changing for Endpoint Standard customers?
Endpoint Standard customers now have access to “Observations,” which are the evolution of Enriched Events. Currently, customers can toggle between the new and old experience in their console; later this year the Observations page will replace Enriched Events with the goal of providing analysts with additional information that will help to identify real threats with more speed and confidence.
Observations provide additional security context and organization for your endpoint events. Changes you will notice include:
- New Timeline View (aka histogram)
- New search fields, including: observation_description, netconn_community_id and others
- New "Observation Type" categorization in filters and directly in the search results, such as "Indicator of Attack"
- New “Group By” feature in the search results table (up to a 10,000 search result limit)
- Enhanced Netconn card in the right-hand details view for network-centric Observations
- MITRE ATT&CK attributions
What stays the same?
All of your Enriched Events data is still available and will not be removed, but we've further categorized these detections as TAU Intelligence, Tamper, Blocked Hash, CB Analytics or Contextual Activity.
Summary views of the search activity across your fleet are still available but have been improved by the new “Group By” capability. This improvement replaces the slow, static sub-tabs to provide a more flexible search experience.
Why change Enriched Events?
The changes introduced recently to the fleet-wide index of activity required us to update our approach to endpoint activity collection and categorization.
- Enriched Events in Endpoint Standard relied heavily on a set of descriptions and TTPs that do not support our future direction.
- Future releases of the Observations API will include changes that would have negatively impacted the operational efficacy of the Enriched Events API.
As an API-first platform, the Carbon Black Cloud will not add breaking changes to an existing, supported API when bringing improvements to our customers and ecosystem. So, we developed the new Observations API as a foundational component of our platform that we will build on, and eventually this Observations API will eliminate the need for Enriched Events.
The flexibility of Observations enables us to support additional new Observation types in the Observations stream - first with Intrusion Detection System (IDS), next with Network Traffic Analysis (NTA), and then additional, more security-centric uplevelling of the raw & contextual events that provide the backbone of your security investigations.
These new detections started rolling out last year, and it's time to pull back the covers and present a better way of delivering security context beyond the raw event. By characterizing events with our security-centric analytics such as MITRE ATT&CK, we can provide more intelligence to the security analyst in a more succinct and standardized manner.
We're confident that the added focus on security-centric findings will make it possible for our customers to be more efficient and effective at finding and stopping cyberattacks in their organizations.
Who does this apply to?
All existing Endpoint Standard customers can now access “Observations” using the “New Investigate Experience” toggle on the Investigate page. This experience can be enabled or disabled at any time but will eventually replace the Enriched Events page.
Additionally, customers who purchase the XDR add-on will also have access to the Observations page upon deployment.
What's the plan with Enriched Events?
The Enriched Events tab on the Investigate page will remain the default experience for another month while the Observations page is finalized based on customer feedback. After that, the Investigate page will default to show the Observations tab; however, customers will still be able to toggle back to the old Enriched Events experience as needed. Later in 2023, once we have given our customers an opportunity to let us know any gaps in important functionality we may have missed in Observations, we will remove the Enriched Events option from the Investigate page.
The underlying Enriched Events API has been deprecated as of launch of XDR in favor of the Observations API and will remain supported for a year before it’s deactivated.
Over time in the next year or two, you will start to notice that some of the kinds of redundant activity records that were previously reported as an Enriched Event (and which appear under new categories in Observations) may be removed, and that new, more security-centric Observations will be introduced.
Do you have a demo of the new Observation UI?
Please see the below Observation video highlighting the key features.
Your feedback is important
This is an investment we're making to improve the security efficacy of Carbon Black Cloud - and your feedback will be important to help us help you as we make the most cost-effective investments in your security.
Please utilize the “Give Feedback” form to provide your feedback on the Observation page.