Carbon Black Enterprise EDR - FAQ

Overview

The VMware Carbon Black Cloud Enterprise EDR  Frequently Asked Questions (FAQs) document provides answers to some of the most popular Enterprise EDR questions. We will continue to grow this list of FAQs so check back regularly for updates.

VMware Carbon Black Enterprise EDR is an advanced threat hunting and incident response solution delivering continuous visibility for top security operations centers (SOCs) and incident response (IR) teams. Enterprise EDR is delivered through the VMware Carbon Black Cloud, a next-generation endpoint protection platform that consolidates security in the cloud using a single agent, console, and dataset. If you are new to Endpoint Standard or if you want an overview of the features, components, see Carbon Black Enterprise EDR Overview. 

Want to learn more about Endpoint Standard? see our Enterprise EDR Activity Path!
 

Audience

This Enterprise EDR FAQ document is intended for existing or prospective Security administrators.

Operations

What is a Supported Endpoint? 

Enterprise EDR is supported on endpoints (desktops, laptops, servers, VMs) with a supported OS and a full OS.  

What Operating Systems are Supported? 

Enterprise EDR is supported on Windows, macOS, and Linux operating systems. Full Breakdown of OS version support can be found here: Carbon Black Cloud Sensor Support  

What are the minimum requirements for Endpoints? 

Endpoints must be in compliance with all hardware requirements for the host operating system. Consider all processes that run on the endpoints when determining your hardware configuration. We recommend a multi-core CPU for all installations. 

The following metrics represent system requirements against a minimum environment, which is defined in the context of a user-level system (such as an inactive laptop). 

What are the supported two-factor Authentication apps for Carbon Black Cloud? 

The Carbon Black Cloud Platform does support Multi-Factor Authentication via Google and DUO. SAML configuration is also supported. 

Detection

What data does Enterprise EDR collect?

Enterprise EDR is designed to collect all endpoint telemetry and provide you with the assurance that that data will exist in the console. Data collected includes but it not limited to: File Modifications, Network Connections, Module Loads, Cross Process Events, Script Loads, Registry Modifications, and Process Data.

Note: We do not collect PII, details can be obfuscated further as needed in the console.

Can I create custom IOC queries?

Yes. In the Investigate tab you are able to define your IOC string, save and alert on the newly created IOC.

 

What querying syntax is supported?

RegEx Searching, Fuzzy Searching, and Value Search (i.e. no syntax required).

The variation of supported querying syntax ensures that user can create complex queries as well as simple queries with no learning curve.

Does Enterprise EDR provide 3rd Party Threat Intelligence? Or can I integrate my personal feeds?

Carbon Black provides both proprietary as well as 3rd party feeds for correlation out of the box. Feeds such as:

• MITRE ATT&CK
• Alien Vault
• Facebooks Threat Exchange
• SANS
• US Cybercom Malware Alerts
• And more..

 

You also have the ability to import your own feed if you so choose.

Can I threat hunting based on threat intelligence? 

VMware Carbon Black Cloud Enterprise EDR delivers out-of-the-box threat intelligence, as well as the ability to create custom detections based on your own IOCs. Detections are automated so you never hunt the same threat twice, and you can integrate proprietary and 3rd party intel feeds for even richer correlation.

 

Remediation

Ability to Detect and Rollback Ransomware 

Ransomware is pervasive, and as defenders, it is VMware’s responsibility to adapt and provide future-ready security. So in the case of rollback providing not only the ability to restore to a particular shadow copy, but it is also providing disaster recovery tools to ensure business operations can resume as quickly as possible.

 

Ability to Remediate a complex threat that makes multiple changes to the endpoint

At the time of investigation, administrators must be able to operate with confidence knowing what data they will be able to access. Adversaries can perform tasks that look benign but under the hood, they can run malicious commands using trusted applications such as PowerShell. With industry-leading data assurance, administrators can analyze and determine the best approach to wholistic remediation with Carbon Black.

 

Integration

Does Carbon Black Integrate with SIEM tools? 

Yes. Carbon Black Enterprise EDR can forward alert data to SIEMs that accept standard Syslog data. 

Where can I find Enterprise EDR integrations? 

• Enterprise EDR Integrations Guide 

What is the Event Schema for the Event Forwarder? 

Event forwarder Schema can be found on our developer site, Data Forwarder Data Guide. 

How do you enable the Event forwarder? 

Refer to VMware Docs: Data Forwarder. 

General

What is the difference between Enterprise EDR telemetry and the data collected in Endpoint Standard?

Enterprise EDR provides completely unfiltered telemetry designed for analysts to jump in and threat hunt with confidence.

Endpoint Standard provides telemetry with an AI overlay which is determined by Carbon Blacks backend analytics and threat team. 

Is it possible to add scanning exclusions for other security products in an Enterprise EDR console? 

If any interoperability is experienced with other AV or software applications and the Enterprise EDR sensor, please open a support case for further assistance. Within the GUI,  there are no options to exclude directory scanning of other security products in an Enterprise EDR console. The Enterprise EDR Sensor should be excluded in other AV applications 

What is the difference between Submit Unknown Binaries and Upload all New Binaries? 

Unknown binaries refers to any binary with an unknown reputation that will be uploaded to determine if the file's execution should be blocked at the sensor.  

New binaries refers to any binary that has not been seen previously in your organization based on its SHA-256 value. The upload all new binaries to CB for your later analysis and download feature's primary benefit is for administrators to be able to download any binaries seen in their environment. 

Does Carbon Black offer a Managed Service 

Yes. Carbon Black offers a light managed service. This service provides managed alert monitoring and triage solution. We have a team dedicated to watching your environment. They act as additional eyes to validate high-level alerts, analyze them, and provide recommendations to you and your team. When a high-level alert occurs in your environment the Managed Detection team analyzes, confirms it is not a false positive and provides insight.  For fully managed services Carbon Black partners with leading managed service providers.  

What is Anomaly Classification? 

With Anomaly Classification, customers can automatically surface the most relevant Watchlist alerts to optimize their alert triage process and ultimately reduce the workload of security analysts. Additionally, security analysts can now provide feedback on their determination, which further trains the classification algorithm. 

What are the benefits of Anomaly Classification? 

There are several immediate benefits to customers: 

• Reduced alert fatigue
• Improved efficiency 
• Enhanced accuracy 

By prioritizing alerts and providing context, the feature helps analysts focus on the most important threats, while reducing the time spent on investigating false positives. The machine learning models continually improve over time, resulting in higher accuracy and reducing the likelihood of real missed threats. 

Ultimately reducing Mean time to detection and mean time to respond.

Which Watchlists are supported in Anomaly Classification? 

The system currently supports Carbon Black Advanced Threats and AMSI Threat Intelligence. The support of custom Watchlists is on the roadmap for subsequent releases.  

Does Anomaly Classification add to the volume of alerts? 

This feature does not add any new kind of Alert or any new triggers that would generate Alerts. 

Customers will not receive any more or any fewer Alerts than they already do. There is no change in the character of the Alerts, it is literally the same data as before. 

Which customer can use the functionality of Anomaly Classification? 

The feature is accessible to all Enterprise EDR and XDR customers.  

Summary and Additional Resources

Conclusion

This document provided answers to the most popular Enterprise EDR FAQs.

Additional Resources

For more information about Endpoint Standard, explore the Enterprise EDR Activity Path. The activity path provides step-by-step guidance to help you increase your understanding of the Carbon Black Endpoint Standard, including articles, videos, and labs. 

Authors and Contributors

This document was created by:

• Raj Sahota, Technical Marketing Specialist.

With contributions from:

•  Shwetha Madhan, Content Strategist, Carbon Black, VMware