Carbon Black Cloud Audit and Remediation - Technical Overview
What is Carbon Black Cloud Audit and Remediation?
Audit and Remediation on the VMware Carbon Black Cloud is a real-time security operations solution that enables organizations to ask questions of all endpoints and take action to instantly remediate issues.
Audit and Remediation provide proactive threat hunting based on any data point, deep forensic investigation, and precise action in real-time. Audit and Remediation includes an interface highlighting Live Query allowing you to ask questions of your endpoints on demand and take immediate action from anywhere.
Key Functionalities of Carbon Black Cloud Audit and Remediation
Audit and Remediation include two main functionalities that we call Live Query and Live Response.
Live Query provides a way to ask questions about your endpoints in real-time. This powerful functionality is a part of the Audit and Remediation offers available only on our VMware Carbon Black Cloud.
You can access the Live Query by navigating to the Live Query page or you can select the Live Query icon at the end of a device row on the endpoints page, or from an alert. Select the device tab and then select the query endpoint from the take action menu.
Live Query has two ways to ask questions. Both options provide the view of the same results:
- The pre-built Recommended Query catalog: Recommended Query catalog has a set of pre-built queries to get you going fast regardless of SQL knowledge. Recommended queries recommended by Carbon Black security experts are listed by category. A description is included along with the recommended run frequency.
- SQL Builder: Our SQL Builder allows more advanced users to get granular in their queries and currently offers more options with tables and data organization.
After a query runs and results return, you can narrow down matches for a clear vision of the answer to your question using dynamic, faceted search and column sorting. From the results, you can go live with a Live Response to remote access any endpoint when action needs to be taken. With Audit and Remediation, you can take your network defense to the next level with real-time endpoint query and remediation.
You can ask questions by using the recommended option or the SQL query. Once you run a query, the time frame for receiving results vary based on the type of query, complication level of query, and when each device last checked in via the sensor.
When you receive results, they are organized in a table format, you can find results under the Live Query heading under Query Results.
SQL Query: You can select the SQL query tab to run a query using SQL.
SQL Query provides additional flexibility to power users to extend the query capabilities beyond recommended queries.
Live Response provides administrators with a secure remote shell into any protected endpoint to perform actions like memory dump, delete files, stop processes, and more.
- You must be in a Live Response admin role to access Live Response functionality.
- Please use caution, Live Response provides direct access to a device and can lead to mistakes.
What are the Key Benefits of Carbon Black Cloud Audit and Remediation?
- Decrease Time to Value; Operating as an always on solution, when a question arises you can query your entire fleet results can be expected in a little as 5 minutes. If devices are offline the query will continue to run for up-to 7-days ensuring you are able to get a complete picture of your fleet.
- Customer Driven Inspection; Often times products are providing you the information they think you need, with Audit & Remediation you are able to flip the script and ask the questions of your fleet you need the answers to.
- Drift Reporting; Schedule queries on a daily, weekly or monthly basis to assess baseline and drift metrics to report on overall system change.
Top 5 Things you should know about Audit and Remediation
- Query Results
Query Results Query results are available when devices start to respond. The wait time for results depends on the query type and complexity if devices are online, and the last time each sensor checked in.
Queries run for up to 7 days unless scheduled to run more frequently.
Results are available for 30 days.
Queries are grouped by One-Time and Scheduled queries.
- One-time queries display the query start-time, query name, devices responded user who ran the query and query status.
- Scheduled queries display the last run time/date, query name, policy/endpoints, frequency, and run time.
- Recommended Queries
Recommended queries are suggestions provided by the community as well as our internal threat research team. These queries do not require prior knowledge on SQL syntax and can be scheduled or run as a one off query. We recommend users start here first to begin working with Live Query.
- SQL Queries
Moving beyond recommended queries, you have the ability to run custom SQL queries; this is where the extended functionality can be extremely powerful.
To learn SQL we recommend starting with the following resources:
- Take the Intro to SQL courses.
- Reviewing the Osquery Table List to understand the data fields available.
- Visit The Query Exchange for more ideas!
- Query Exchange
The Query Exchange is a place for everyone to take, learn, and share queries.
Since Live Query is built off of the open-source project Osquery, we want to encourage the spirit of community participation. As a collective group we can help each other be more efficient, more innovative, and more secure.
All query submissions default to the “Under Review” stage when initially posted. Once submissions are vetted by Carbon Black, submissions will be updated to reflect “Approved.”
- API Extensions
Live Query is not limited to the Carbon Black Cloud console. Live query functionality can be extended by operationalizing the API.
Customers have leveraged this in the case of orchestration, where in the event of a security incident they are automatically querying for specific modifications. OR we have seen customers leverage the API to perform differentials for compliance reporting.
Be sure to visit the Developer Relations website for more information on the API.
Summary and Additional Resources
This document helped you get a high-level understanding and overview of the Carbon Black Audit and Remediation. To learn more about the product explore our hands-on lab and TestDrive experience.
For more information about Audit and Remediation, explore the Mastering Carbon Black Cloud Audit & Remediation. The activity path provides step-by-step guidance to help you increase your understanding of the Carbon Black Endpoint Standard, including articles, videos, and labs.
Additionally, check out the Audit and Remediation FAQ which provides answers to some of our most popular Endpoint Standard questions.
The following updates were made to this guide:
Description of Changes
About the Author and Contributors
- Raj Sahota, Senior Technical Marketing Architect, Network and Advanced Security Business Group, VMware