Carbon Black XDR - FAQ


The VMware Carbon Black XDR Frequently Asked Questions (FAQs) document provides answers to some of the most popular XDR questions. We will continue to grow this list of FAQs so check back regularly for updates.

If you are new to Carbon Black XDR or if you want an overview of the features, components, see Carbon Black XDR Technical Overview.

Want to learn more about Carbon Black XDR. see our XDR Activity Path.


This VMware Carbon Black XDR FAQ document is intended for existing or prospective Security administrators.


What is Carbon Black XDR?

VMware Carbon Black XDR extends network visibility and detection to Enterprise EDR, strengthening lateral security. VMware Carbon Black XDR goes beyond the endpoint to see more and stop more.

Carbon Black XDR surfaces new results by combining security events with network flows, and preserving and extending the endpoint, network, workload, and user contexts during analysis and display.

This extended detection and response (XDR) solution deploys with no changes to infrastructure and unifies security tools to enhance visibility into packets and process, bringing the SOC and NOC together.

Carbon Black XDR is one agent, one console, one platform, which: 

  • Transforms a fleet of endpoints into a distributed network sensor  
  • Delivers pervasive visibility across endpoints, networks, workloads, and users in an open scalable ecosystem 
  • Reduces blind spots that leave attackers nowhere to hide 

What are the benefits of Carbon Black XDR?

Carbon Black XDR offers a significant improvement on telemetry visibility from a single pane of glass, combining the SOC and NOC and providing the complete visibility required to get the highest confidence level in the response actions taken across the environment. Ultimately reducing Mean Time To Detection (MTTD) and Mean Time To Response (MTTR). 

image 151

What types of data does XDR collect and how does XDR handle data privacy and compliance requirements?

Common use cases for Carbon Black XDR include threat detection and response, incident response, vulnerability assessment, compliance monitoring, and threat hunting.

There are many ways in which you can use XDR to detect and respond to endpoint threats. The following are the most common use cases.

Threat Hunting Although it is likely that threats already exist in any given network, many security teams struggle to find the time to do proactive threat hunting. Carbon Black XDR’s telemetry capabilities allow much of this work to be done automatically, significantly lightening the load on security teams and allowing them to carry out threat hunting alongside their other tasks. Carbon Black XDR surfaces new results by preserving and extending the endpoint and network contexts during analysis and display. Proactively threat hunt for abnormal network activity using threat intelligence and customizable queries.   

Reduce dwell time One of a security team’s most important functions is to reduce dwell time by prioritizing or triaging alerts and quickly responding to the most crucial ones.

Automatic tagging of endpoint and network related events to the MITRE ATT&CK Tactics, Techniques, and Procedures (TTP) framework exposes the root cause and reduces dwell time. Visibility into network connections and IDS observations spanning your entire organization, including hybrid work environments, alongside automated TTP tagging gives analysts the advantage when responding to the latest attacks. 

Carbon Black XDR helps sift through the noise by using powerful analytics and machine learning to correlate thousands of alerts into a small number of high-priority observations.

Detect and respond faster Carbon Blacks XDR’s extensive data collection, superior visibility, and automated analysis allow security teams to quickly and easily establish where a threat originated, how it spread, and what other users or devices might be affected, this allows you to detect and respond faster to modern attacks by leveraging XDR capabilities with endpoint prevention, EDR, network, vulnerability assessment, and CIS Benchmarking all delivered from the same lightweight agent and managed from the same console.  This is crucial to both removing the threat and hardening the network against future threats.

What is difference between EDR and XDR?

EDR refers to a security solution that detects and responds to threats on endpoints, such as desktops, laptops, and workloads. Carbon Black Enterprise EDR achieves this by continuously recording and storing endpoint activity data (processes and binaries), allowing security professionals to hunt threats for abnormal activity using threat intelligence and customizable detections in real time and visualize the complete attack kill chain.

XDR, on the other hand, is a more comprehensive security solution that goes beyond endpoints and integrates data from multiple control points.

As the evolution of Carbon Black Enterprise EDR, Carbon Black XDR delivers on modernizing the SOC by enabling rapid and accurate detection, visualization and analysis of endpoint, network, workload, and user data in context.  

Carbon Black XDR surfaces new results by preserving and extending the endpoint and network contexts during analysis and display. Network context is extended by the additional network connection visibility and the IDS engine we have embedded into our sensor.

What data sources does XDR collect data from?

Carbon Black XDR collect process and binary data from Endpoint and Workloads, Network connection data from network traffic and User data from authentication events on the endpoints and workloads.

What is Anomaly Classification?

With Anomaly Classification, customers can automatically surface the most relevant Watchlist alerts to optimize their alert triage process and ultimately reduce the workload of security analysts. Additionally, security analysts can now provide feedback on their determination, which further trains the classification algorithm. 

What are the benefits of Anomaly Classification? 

There are several immediate benefits to customers: 

  • Reduced alert fatigue 
  • Improved efficiency 
  • Enhanced accuracy 

By prioritizing alerts and providing context, the feature helps analysts focus on the most important threats, while reducing the time spent on investigating false positives. The machine learning models continually improve over time, resulting in higher accuracy and reducing the likelihood of real missed threats. 

Ultimately reducing Mean time to detection and mean time to respond.

Which Watchlists are supported in Anomaly Classification? 

The system currently supports Carbon Black Advanced Threats and AMSI Threat Intelligence. The support of custom Watchlists is on the roadmap for subsequent releases. 

Does Anomaly Classification add to the volume of alerts? 

This feature does not add any new kind of Alert or any new triggers that would generate Alerts. 

Customers will not receive any more or any fewer Alerts than they already do. There is no change in the character of the Alerts, it is literally the same data as before. 

What is NTA? 

Network Traffic Analysis is a powerful new detection engine for Carbon Black XDR. Using a combination of historical and real-time network traffic NTA detections can identify anomalous and suspect network behaviors within your organization's environment. 

What are the benefits of NTA??

NTA provides SOC Analysts with several key benefits: 

  • Greater insight into expected and anomalous network behavior  
  • Enhanced visibility into devices connecting to your network  
  • Identify occurrences of activity outside normal network behavior  
  • Rapidly and easily investigate with additional network context 


What OS is supported?

As the largest threat vector today is Windows, the GA release will include the Windows sensor first. Linux and Mac are planned to follow in future releases.

What sensor supports XDR?

Carbon Black XDR is available with the 3.9.1+ sensor

What are the minimum sensor hardware requirements?

Please refer to the hardware requirements section in the OER at 

Where does the network XDR sensor reside in the network environment? 

The network sensor is integrated with our existing Carbon Black Cloud sensor, therefore there is no need for network taps or to deploy additional software. No changes to the network config or networking is required to get the additional visibility. We transform your endpoints and workloads into a fleet of distributed network sensors.

What sensor supports NTA?? 

NTA is available with the 3.9.2+ sensor. 

What UI changes will NTA bring?  

A new Network Traffic Analysis type will appear in Observations; NTA observations will also have details showing pertinent NTA information. 


What is Network Connection Visibility?

Network Connection Visibility enables customers to visualize and analyze network data in context, using the Carbon Black Cloud. The XDR network telemetry includes continuous capture and analysis of network fingerprints, flow and TLS data, and application-protocol data.

What is IDS?

The purpose of IDS is to detect and respond to malicious activity. Carbon Black XDRs Intrusion detection system (IDS) instantly identify malicious network behaviors.

We are monitoring the activity on a host for signs of suspicious behaviour, such as changes to system files, unauthorized access attempts, or unusual network traffic. We use a mix of signature-based detection and behavioural analysis to identify potential security threats.

What is Identity Intelligence?

Carbon Black XDR Provides visibility to user-centric events that are indicative of malicious activity and correlates this user data with process and network connection visibility.  

Carbon Black XDR gives insight into the activity of user accounts for context, correlation, and analysis. Insights such as log on, log off events, account changes, and privilege escalation and how local domain accounts are being used on the network.  

While these activities can be benign, they can also indicate malicious behavior. such as credential theft, brute-force attacks, password spraying, account lockouts, and other suspicious activity that may indicate an attempted or successful compromise of a system. 

Does Carbon Black map XDR data with MITRE ATT&CK® framework?

MITRE ATT&CK Tactics & Techniques MITRE ATT&CK® is visible throughout the Carbon Black Cloud console as well as in XDR.

MITRE ATT&CK is widely adopted by the security industry as a knowledge base of adversarial tactics and techniques. For more information about MITRE ATT&CK, see MITRE ATT&CK.

A Tactic represents the purpose behind a technique. For example, a MITRE ATT&CK Tactic ID of TA0001 signifies that the adversary is trying to penetrate your network.

A Technique expresses how the adversary is attacking. For example, a MITRE ATT&CK Technique ID of T1548.003 indicates that adversaries are performing sudo caching to elevate privileges.

You can filter and search on Tactic and Technique fields on the Observations, Alerts, Processes, and Process Analysis pages. You can sort on these fields as well.

What is an Observation?

The Observations page lets you see interesting or suspicious activity in your environment that does not always reach the importance of generating an alert. This page lets you search through the stream of notable activities on one or more devices; you can avoid researching all the raw events that are reported by every asset. This page provides a convenient means by which to perform a sweeping search across all your organization's assets. Observations are the noteworthy, searchable findings across your whole fleet. They complement raw events on Process Analysis page.

Where are the enriched events?

No data is lost, enriched events are still collected, Enriched Events are hidden when the toggle is off, hidden from the UI. They remain present in the instance, ready to be display and searched as soon as the toggle is flipped on, with no impact to performance, availability, or any other aspect of product operations outside of display and search in this tab.

What Types of Observations are presented?

We provide observations from all our new XDR engines, including our new IDS engine. For a full list please refer to the Carbon Black Cloud User Guide.

When should I use Observations and when should I use Enriched Events?

The workflow recommended is to move from Alerts, to Observations, to Events, as and if the need for information grows as part of investigating, responding and remediating a specific incident or finding.

Observations are of more interest with much greater relevancy and lower noise than enriched events.

Can I create custom IOCs? 

Yes. In the Investigate tab, under observations, you can define your IOC string, save and alert on the newly created IOC. Previously this was only for endpoint data, we have no extended this capability to the new network context we have made available.

Can I use third party threat intel feeds in XDR?

As XDR is an extension of EDR, you have access to all the VMware Carbon Black Cloud Enterprise EDR threat intelligence, as well as the ability to add third party feeds.

Carbon Black will be updated and creating new IOCs based off the network telemetry post GA.

What are the additional search fields I can search on?

You can craft new searches using our newly available network and identity search fields. See the in-product Search Guide for a full list, descriptions, and examples of all search fields available.

How does NTA work?

Using the baselining capabilities of NTA, Carbon Black XDR can now generate profiles for standard network traffic within an organization. The initial detectors released are a subset of detections we will introduce as we continue to expand our detection capabilities using our integrated Network Traffic Analysis Engine. While not all anomalous activity is malicious, these outliers can serve as an additional feature for data analysis and, when combined with the correlation of other malicious or suspect indicators, bolster our security. 

What does NTA look at? 

Carbon Black XDR now includes NTA detectors and will continue to add more detectors and alerts in the coming months. In the initial wave, NTA includes: 

  • IP Profiler: Identifies anomalous IP address connections associated with a device, compared to those seen typically seen on that same device. 
  • User Agent Profiler: Identifies unusual user agents in connections being made from a local device compared to the user agents typically associated with a device.  
  • Port Profiler: Identifies connections to or from a local host that have an unusual, remote IP address, compared to remote IPs that host typically connects to. 



What is the XDR Alliance? 

VMware joined the XDR Alliance in June 2022. The XDR Alliance is a partnership of leading cybersecurity industry innovators committed to an inclusive and collaborative XDR framework and architecture. The mission of the XDR Alliance is to make a collaborative, open approach to XDR a reality for SecOps teams and help them effectively protect their organizations from cyberattacks. 

Summary and Additional Resources


This document provided answers to the most popular Carbon Black XDR FAQs.

Authors and Contributors

This document was created by:

  • Raj Sahota, Senior Technical Marketing Architect,  Security Business Unit


Filter Tags

Enterprise EDR Carbon Black XDR Document FAQ Overview