Carbon Black Cloud Audit and Remediation - FAQ

Overview

VMware Carbon Black Cloud Audit & Remediation is a real-time security operations solution that enables organizations to ask questions of all systems and take action to instantly remediate issues.

Audit and Remediation enable proactive threat hunting based on any data point, deep forensic investigation, and precise action in real-time. Audit and Remediation includes an easy-to-use interface allowing you to ask questions of your endpoints on-demand using the Live Query component, and take immediate action from anywhere using the Live Response component.

If you are new to Audit and Remediation or if you want an overview of the features, components, see What Is Audit and Remediation?

Audience

This Audit and Remediation FAQ document is intended for existing or prospective Security administrators.

Carbon Black Cloud Audit & Remediation includes two main components, Live Query and Live Response. The questions below are broken out into these two categories.

Live Query

What is Live Query?

Live Query is a key component of Carbon Black Cloud Audit & Remediation. Live Query is based on OSQuery, which exposes an operating system as a high-performance relational database that can be queried for operating system data. Live Query allows the administrator to query the current state/config/properties of one or more systems. Live Query uses SQL syntax to query for data, which is executed on the endpoint and returned to the backend.

What role is needed to access Live Query?

Super Admin and Custom roles with the Live Query Permission for the Organization have access to Live Query features.

What protections are in place to prevent the unauthorized use of Live Query?
  • Existing access controls for a Carbon Black Cloud organization apply to LiveQuery
  • Super Admin and Custom roles with Live Query Permission the Organization has access to Live Query features.
  • CSR Roles cannot see the Live Query Features in an organization, however, they may have access to turn on/off the Live Query feature in an Organization.
  • Tamper protections are in place to prevent unauthorized deletion of the sensor components. However, by design, osqueryi can still be run on the endpoint.
Does Live Query support 32-bit Windows?

3.6.0.2067+ support 32-bit Windows as it uses OSQuery 4.5

Which admin role is used in Live Query?

The following admin roles are used in Live Query:

Windows: SYSTEM 

Mac: Root 

Linux: Root 

How long does a query take to run after it's been executed?

Live Query result response speeds could depend on several factors: 

  • Other events on the sensor may have send priority above returning Live Query results.
  • A query will be complete when the number of responses is equal to the amount of sensors that had checked in within 7 days of the query starting.
  • A scheduled query will run until the next scheduled query or until complete
  • An on-demand query will run for up to 7 days or until complete. 
  • Queries will take longer during sensor busy periods such as a new installation, or the sensor just starting up. 
  • Queries that are compute-intensive ( such as selecting all hashes from a computer, selecting all files from the C drive) will take a long time to return results in most cases. 
How long do queries run before the timeout? 

A query will timeout within 7 days even if not all the computers have responded. 

How does the progress bar count get determined? 
  • The Initial Progress Count "Response Pending" is based on the number of active sensors which have checked in within 2 hours. 
  • Any sensors that check-in, while the query is still running, will be added to that count 
How to schedule a query?
  1. Log in to the Carbon Black Cloud and navigate to the "Live Query" page 
  2. To run an ad-hoc query, select "Schedule" for the desired query, next to the "Run" button 
  3. To run a custom query, select "SQL Query" 
  4. Click the "Schedule" button or "Schedule query" for custom 
  5. Select the desired frequency 
  6. Click the "Schedule" button 
  7. Results will appear in the Scheduled tab under Query Results (under Live Query)
How to run a custom query?
  1. Log in to the Carbon Black Cloud and navigate to the "Live Query" page 
  2. Under "New Query", choose the "SQL Query" tab 
  3. Enter the query you wish to run in the Query text box 
  4. From the "Select a policy" dropdown list, choose a policy containing endpoints you want to run the query on 
  5. Give your query a name in the "Query Name" box 
  6. If you wish to have an email sent when the query completes, check " Email me when complete" 
  7. Click "Run". You will get either a green( success) status message or a red( failure) message. 
    • For failure messages, please note the message, adjust your query, and try again 
    • For success messages, please continue to monitor the Live Query console for results to be returned, or if you have the option checked, look for an email to be sent to you when the query completes, then come back to the console to view results. 
How to stop a running query?
  1. Log in to the Carbon Black Cloud console and navigate to the "Live Query" page 
  2. Under "Query History", select a query that has a status of " in progress" that you would like to stop running 
  3. In the live query details page, click "Stop" under the take actions button in the top right corner 
  4. In the stop Query confirmation box, click "Stop Query" 
  5. A green confirmation dialog will show, indicating that the request to stop the query has been submitted 
  6. Confirm the query has been stopped by going to the Live Query page, and look for the status next to the query. The status should read "Stopped". 
Can the contents of files be queried? 

Audit and Remediation cannot search through documents (Office docs, PDFs, and standard text files.)

Can a query be run on a single endpoint? 

A query can be run on a single endpoint. To do so:

  • Under the Endpoints section, you have the ability to apply to specific policies or Endpoints. 
  • Choose either "Recommended" or "SQL Query" and create the query 
  • Click on "New Query" 
  • Go to the live query page 

Live Response

How to enable Live Response?
  1. In the console select Enforce > Policies 
  2. Select the desired policy 
  3. Select the Sensor tab of settings 
  4. Check the "Enable Live Response" box 
Which admin role is sed in the Live Response session? 
  • Windows: SYSTEM 
  • Mac: Root 
  • Linux: Root 
How to run commands with flags in Live Response?

Run the command with execfg cmd.exe /c followed by the command and the needed flags, for example:  execfg cmd /c tasklist /svc /FI "IMAGENAME eq chrome.exe" 

How to collect logs remotely for support using Live Response (Windows) 

Sensors 3.6 and Higher: 

  1. Log in to the Console. 
  2. Go to the Endpoints page.
  3. Click on the 'Go Live' icon (>_) to enable a Live Response session. 
  4. Change Directory to the Sensor's Directory.
  5. Run the following command:  execfg repcli capture c:\temp -- Change to the desired writeable location: cd C:\Program Files\Confer.
  6. You will receive immediate confirmation that the logs are being collected 'collecting diagnostic data (this may take a few minutes)', followed by confirmation that the logs have been captured 'Captured diagnostic data is written to c:\temp\psc_sensor.zip 
  7. Run the following command to retrieve and download the captured Sensor Logs to your local machine: get c:\temp\psc_sensor.zip -- Change to the location specified in the previous command.
  8. This file will download to whichever directory you have specified to download to (usually 'Downloads') 
  9. The file will likely not have an extension when downloaded and may look similar to this > 9ba02d41-f873-45f4-ba19-5091c8246095 
  10. Once downloaded, simply rename it, replacing the text with the name of the machine and adding the .zip file extension, for example,> Sales1.zip
How to collect sensor logs via Live Response (Linux)?
  1. Connect to the device via LR session 
  2. Launch terminal emulator: execfg sudo /opt/carbonblack/psc/bin/collectdiags.sh --verbose --debug --output-dir /tmp
  3. Script will complete and display file name : diags_{hostname}_{epoch_time}_{random}.tgz 
  4. Retrieve the file. 
  5. get /tmp/diags_{hostname}_{epoch_time}_{random}.tgz 
  6. Upload the tarball to CB Vault 
  7. Let support know when the file has been uploaded 
What type of memory dump is generated in a Live Response session? 

The memory dump generated over a Live Response session quickly collects a kernel memory dump (and user space, if kernel debugging is enabled). For example, the command below will create a dump in c:\temp: memdump c:\temp\kernel.dmp  If a full memory dump is required, follow the instructions here, please note a reboot will be required. 

How long do Live Response queries run before timeout? 

Live Response Sessions where commands have been sent will timeout after 15 minutes and close automatically  Live Response Sessions where no commands have been sent will timeout after 30 minutes 

What is the limit for concurrent Live Response sessions? 

If multiple Live Response Admin users have an LR session with the same device, this will only count as one, as the Sensor only allows a single LR session to be opened at a time. If multiple Live Response Admin users have an LR session with the same device, this will only count as one, as the Sensor only allows a single LR session to be opened at a time. All Live Response Admins connecting to the same machine during this time will be using the same session. Live Response Sessions where commands have been sent will timeout after 15 minutes and close automatically. Live Response Sessions where no commands have been sent will timeout after 30 minutes 

How many Live Response sessions can be initiated per endpoint? 

Only one Live Response session can be run on a sensor at a time. If there are two open tabs in the UI that both say connected, they are sharing the same session on the back end.

If there is a file with no content (showing 0 bytes for file size), can an Admin use the GET function in a Live Response session to pull that file? 

No. As there is no content, there is nothing to retrieve. To GET a file in Live Response, the file must be non-zero in size. 

What happens when a device is placed in quarantine? 

Connections: The network filter driver blocks all incoming/outgoing TCP traffic to any IP/ports except for those used to maintain a connection to the Carbon Black Cloud Console  Devices will still be able to check in with the Carbon Black Cloud Console for devices status changes. i.e. Switch from Quarantine to Active.

Remote Investigation/Remediation Tools: Quarantine mode allows both CB Support and Carbon Black Cloud Administrators to continue investigating a device from the Carbon Black Cloud Console (Investigate Page, Live Response, Live Query, etc..) while reducing the risks involved with allowing a compromised device to access the local network.

Carbon Black Support will still be able to pull sensor logs from the device while in quarantined mode 

  • The types of connections, remote investigation, or remediation tools that are allowed and disallowed in quarantine mode cannot be customized 
  • Windows Filtering Platform API is used to determine traffic type per connection on Windows 
  • Quarantine terminates active sockets that aren't exempt from Quarantine; effectively re-authorizing any existing connections  
  • ICMP (ping) is allowed 
  • ARP is allowed to ensure MAC addresses can resolve to IP addresses 
  • DNS/DHCP is allowed to ensure the bilateral communication between the Carbon Black Cloud Console and the quarantined device 
  • All UDP connections except for those responsible for DNS requests, UDP/53, and DHCP, UDP/67 & UDP/68, will be blocked 
How often does the sensor check in to the Carbon Black Cloud console? 

The sensor checks in once every 60 seconds from 1) Sensor installation or 2) device reboot 

Summary and Additional Resources

Conclusion

This document provided answers to the most popular Audit and Remediation FAQs.

Additional Resources

For more information about Audit and Remediation, explore the Audit and Remediation Activity Path. The activity path provides step-by-step guidance to help you increase your understanding of the Carbon Black Endpoint Standard, including articles, videos, and labs.

You can also see the  Audit and Remediation Overview which provides a basic overview. 

Authors and Contributors

This document was created by:

  • Raj Sahota, Senior Technical Marketing Architect,  Security Business Unit

 

Filter Tags

Carbon Black Cloud Audit and Remediation Document FAQ Overview