Attention: As of February 28, 2022 the Carbon Black Cloud Release Notes will be published on VMware Docs. This UEX release notes space will remain, but will no longer be updated.

Carbon Black Cloud Console Release Notes

Carbon Black Cloud Known Issues

Carbon Black Cloud Fixed Issues

Carbon Black Cloud Console Release Notes


Attention: As of 28 February 2022, VMware Carbon Black Cloud Console Release Notes are published on VMware Docs. This UEX site will remain but no longer be updated.


January 2022 December 2021 November 2021 October 2021 September 2021
August 2021 July 2021 June 2021 May 2021 April 2021
March 2021 February 2021 January 2021 2020 2019
         
         
January 24, 2022
 
The January 24, 2022 console release includes various bug fixes. See Fixed Issues.

January 13, 2022
 
VMware Carbon Black Cloud 

 

Dashboard Improvements 

The Dashboard now supports modeless editing. There is no longer a need to click Edit before moving and resizing widgets; it can be done without entering an edit mode.


Endpoint Standard 

 

API decommissioning - v3 Alerts, Events and Process APIs 

After 31 January 2022, the v3 Alerts, Events and Process APIs will be decommissioned. After this date, they will return an HTTP Response of "410 GONE" and will no longer return previously available data.

For more information, see this October 2021 announcement on the Carbon Black User Exchange: https://community.carbonblack.com/t5/Developer-Relations/Upcoming-API-shutdowns-Carbon-Black-Cloud-v3-Events-Alerts-and/td-p/107722

 

Efficacy Improvements 

Endpoint Standard customers will see an increase in default prevention value. TAU provides improved detections and fixes for AMSI Threat Intelligence, Privilege Escalation, CarbonBlack Threat Intelligence, and Credential Theft.

  • AMSI Detection - Inhibit System Recovery behaviors – Filebacked  
  • AMSI Detection - Inhibit System Recovery behaviors – Fileless
  • Detect Suspect SAM Credential Access – Filebacked
  • Detect Suspect SAM Credential Access – Fileless
  • Detect Suspect Browser Credential Access
  • Detect bitsadmin file transfer 
  • Detect bitsadmin execution 
  • Detect Suspect Startup Modifications 
  • Detect parent process identifier (PPID) spoofing 
  • Detect suspect registry changes

Container Essentials 

 

New Policy and Scope Experience 

Policy Rule Selector

To address the growing number of policy rules, we are introducing an enhanced rule selection experience. With the new design, you can easily browse through all available rules using filters, and organize and manage the selected rules to better understand policy impact. Check it out in Enforce -> K8s policies.

Policy_Scope.png

Scope Page

When managing the scope, we want to understand the workload scope type, how many namespaces are included in the scope and which workloads, and the policy assigned to the scope. With the newly designed page, we addressed it all! With a new modern look, you can easily identify the scope by type, the assigned policy, and even the clusters, namespaces, and workloads assigned to it. Check it out at Inventory-> Kubernetes-> Scope.

K8_Scope.png

 


December 17, 2021
 
Enterprise EDR 

 

Data Forwarder adds Watchlist Hit Forwarding

The Carbon Black Cloud Data Forwarder now supports forwarding Watchlist Hits for all Enterprise EDR customers. This release provides two significant enhancements to make your automated threat hunting more effective:

  • Because certain threat intel feeds do not allow Alerting, all watchlists (whether subscribed from Carbon Black threat intel feeds, or custom watchlists you build yourselves) will have their hits forwarded. This lets you pull augmented data into third-party SIEMs and integrations.
  • Additional metadata is included in forwarded Watchlist Hits that is not available in forwarded Watchlist Alerts, including command lines, hashes, digital signature attributes, reputation and username. This is for both for the actor and the parent process, and all tags added to the Watchlist Reports

Configuration for a Watchlist Hit forwarder in the Data Forwarders page is as simple as selecting Watchlist hit under the Type selection. After it is enabled, this Forwarder will forward every hit from every enabled Watchlist in your Carbon Black Cloud organization:

add_forwarder.png

In addition to the data currently forwarded in Watchlist Alerts today, the forwarded Watchlist Hits will include parent_cmdline, parent_guid, parent_hash, parent_path, parent_pid, parent_publisher.name, parent_publisher.state, parent_reputation, parent_username, process_cmdline, process_hash, process_pid, process_publisher.name, process_publisher.state, process_reputation, process_username and report_tags.

The forwarded Watchlist Hits will not include the following fields that are included in forwarded Watchlist Hits today (which are generally only available in an Alert context): alert_url, category, device_os_version, device_username, first_event_time, last_event_time, last_update_time, legacy_alert_id, notes_present, policy_id, policy_name, reason_code, run state, tags, target_value, threat_cause_actor_name, threat_cause_actor_process_pid, threat_cause_actor_sha256, threat_cause_cause_event_id, threat_cause_reputation, threat_cause_threat_category, threat_cause_vector, threat_id, threat_indicators, workflow.


December 6, 2021
 
VMware Carbon Black Cloud 

 

The December 6 VMware Carbon Black Cloud console release includes various bug fixes. See Fixed Issues.

 


December 1, 2021
 
VMware Carbon Black Cloud Managed Detection and Response

 

VMware Carbon Black Cloud Managed Detection and Response (MDR) is now available as an add-on for Endpoint Standard and Workload Advanced on VMware Carbon Black Cloud.  

MDR is available for upgrade for VMware Carbon Black Cloud Managed Detection (MD) customers.  

MDR provides critical insight into attacks by using automated machine learning and algorithms to validate and prioritize alerts and uncover new threats. Our team of security experts monitor alerts from Endpoint Standard or Workload Advanced in the VMware Carbon Black Cloud. They provide rapid response via email notifications of threats and provide specific policy changes to address the threat in the VMware Carbon Black Cloud. Analysts are available to provide incident remediation guidance as well as threat containment during an incident, allowing your security team to accelerate investigations and remediate threats quickly. 

Feature Description Managed Detection Managed Detection and Response
Monitoring & Alert Triage 24x7 monitoring of alerts within SLO*.  X X
Incident Investigation and Response Recommendations Detailed investigation summaries and response. X X
Monthly Reporting Monthly reporting to outline security policy and posture.  X X
Outbreak Advisories  Advisories on emerging threats with IOCs and policy recommendations. X X
Threat Containment Analysts take actions on your behalf to stop incidents from escalating.   X
Two-way Communication  Communicate directly with our analyst team over email for guidance during a security incident.   X

 

To configure MDR, see https://community.carbonblack.com/t5/Managed-Detection-Discussions/Cb-Managed-Detection-Welcome-Packet/m-p/105514#M65.

* VMware Carbon Black Cloud Managed Detection and Response monitors alerts from Endpoint Standard or Workload Advanced that have a priority of 5 or greater. Alerts that have a priority 8 or above will be thoroughly investigated or emails responded to within 2 hours of their arrival to the team. Alerts that are within the 5 to 7 priority range will be triaged or responded to at best effort. 

 


November 18, 2021
 
VMware Carbon Black Cloud

 

A new article on the Dashboard Getting Started widget helps guide you through testing the connection between the Carbon Black Cloud content delivery network and your endpoints. 

By using this widget, you can proactively prevent endpoints from silently failing to download content, which could cause rules, EDR data, etc., to not be delivered to the sensor. 

Links to the VMware Carbon Black Sensor Installation Guide and UEX Knowledge Base articles provide context and remediation steps for users who are experiencing connection issues.


 

November 8, 2021
 
VMware Carbon Black Cloud

 

Data Forwarder Advanced Filtering

The Data Forwarder has introduced a granular filtering capability for endpoint events. This lets you specify exactly which endpoint events to forward from Carbon Black Cloud to non-Carbon Black Cloud integrations such as SIEM and SOAR solutions.

This enhancement to the Data Forwarder includes a significantly improved Data Forwarder user interface, which includes the ability to upgrade existing endpoint event Forwarders to take advantage of the added filtering options. It also ships a new API that provides individualized Forwarder and Filter control and a validation feature to test proposed filters before implementing them in your production pipeline.dff.png

While this new filtering interface accepts similar kinds of input as you can use on Alerts and Investigate pages, you cannot cut-and-paste queries from Alerts or Investigate pages and apply them directly to your Data Forwarder event filters - the schemas are incompatible and the syntax can sometimes vary. For this reason, the Data Forwarder provides detailed validation to ensure that only valid Data Forwarder syntax and field definitions are assigned to your endpoint event Data Forwarders.

Special note for customers with existing Forwarders of type endpoint.event: The first time you save an edit of the existing filters using the console, we will upgrade that filter in the background to be saved in the new v2 filter format. To continue to directly use the Data Forwarder Configuration API after that time, you must update your code to use the v2 API. The v1 API will refuse to assign filters to a Data Forwarder if that Forwarder instance has filters assigned in the new v2-compatible format. This prevents potentially-conflicting filter configurations from running at the same time on a single Data Forwarder instance, where it would be impractical to represent both filtering configurations side-by-side in the console or in either version of the API.



November 1, 2021
 
VMware Carbon Black Cloud

 

This release contains a bug fix.


October 27, 2021 - Updated November 5, 2021
 
VMware Carbon Black Cloud

 

This release adds support for RHEL/Centos 8.1, 8.2, and 8.3 for Vulnerability Management.

 

Improved alert dismissal context

When dismissing an alert for future, which dismisses all future alerts that share the same threat ID, you can now click on the threat ID to search for all matching alerts. You can dismiss all current open alerts that share the same threat ID, which reduces the need for a separate step to clean up those alerts. Additional context related to what a threat ID consists of has been added to the dismissal pane help text.

 

VDI enhancements in the Carbon Black Cloud console

Customers can now more easily view their VDI Clones on a dedicated page in the Inventory section of the Carbon Black Cloud console. The new VDI Clones page helps to give added clarity to customers managing large ephemeral clone pools that typically have different needs and lifespans than traditional endpoints. Horizon and Citrix VDI Clones running Windows sensor 3.7 or later (3.7.0.1533 is recommended) and Horizon Linux VDI Clones running sensor 2.12 or later will now appear on the VDI Clones page instead of the Endpoints page.

Note: Citrix VDI is not supported on the Linux platform at this time.vdi console.png

Golden Images will remain on the Endpoints or Workloads page depending on the products enabled in your organization.

VDI clones running older sensor versions will remain on the Endpoints page until they are upgraded to Windows sensor 3.7 or later or Linux sensor 2.12 or later.

Customers can also more easily see the golden image-to-clone relationship in the console and view all clones for a specific golden image. When the customer expands the golden image endpoint details, a link displays that includes the number of clones that are associated with the golden image.golden image.png

Note: The new VDI enhancements are being enabled in phases. If you are interested in having this feature enabled in your organization, reach out to Support or your account team.

Learn more about the new VDI Clones experience in the Carbon Black Cloud User Guide.

Additional resources:


Container Essentials

 

The new VMware Carbon Black Container Network Visibility Map provides visibility and context into workloads. This provides a better understanding of the connectivity of the different workloads and how they consume services with Egress connections from external sources outside of the cluster. To simplify this process, the Network Visibility Map lets you view these workload connections in a single map of the application architecture.

Supported platforms in this release:

  • Kubernetes platforms - Tanzu kubernetes grid, EKS, GKE, AKS
  • Operating systems - Ubuntu, Amazon Linux
  • Linux kernel - 4.8 +
  • CNI - Calico, Antrea, Azure CNI, GKE CNI, Amazon VPC CNI

Not supported in this release:

  • Kubernetes platforms - Tanzu kubernetes grid on vSphere, GKE v2 dataplane

 

September 27, 2021
 
VMware Carbon Black Cloud

 

This is primarily a maintenance release. Please see the list of fixed issues for details. There are no functional changes.

September 17, 2021
 
VMware Carbon Black Cloud

 

Results Reporting on Investigate page

The Investigate page has refocused the summary/count of results to focus on the data that you have received and how much data is left to explore. The console reports the number of results that are returned until the request results are 10,000. Above that limit, the console reports the full 10,000 returned results and an approximation of how much data contributed to the result.

Three changes on the Investigate page summarizes the results of your search request:

  1. Focuses on the count of how many results can be paged through
  2. Reports a percentage of your data that contributed to this search result, if the limit of 10,000 results was reached
  3. Presents a tooltip to offer ideas of what to do nextinvestigate_page.png

     

Default time range setting change for V6 Alerts API

To improve the resilience and stability of VMware Carbon Black Cloud, we are setting the default create_time range setting of the V6 Alerts API to one month. Effective Wednesday, 20 October 2021, if no time range is specified in the search request, the API will search through the last month’s data instead of searching through all alerts. Affected routes include _search, _facet, and workflow/_criteria. This change results in faster API response times on average.

You can specify longer time ranges or search through your entire history of alerts by using the "range" field when filtering by create_time, last_update_time, first_event_time, or last_event_time criteria. Specifying "all" as your desired range will search all available alerts. For questions about this change, please reach out to Developer Relations.

This change does not impact functionality on the Alerts page in the console.

 

Threat Reports Bulletin

The Threat Reports widget, which hosts TAU-TINs, has been updated to include a new report type called a Bulletin. A Bulletin provides an initial summary of a newly breaking, emerging threat. This provides faster notification of threats as the VMware Threat Analysis Unit (TAU) is analyzing them. Any Bulletin may be upgraded to a TIN as TAU learns more about the threat.

Definitions:

Bulletin: Preliminary TAU report on newly breaking, emerging threat (no search query).

TAU-TIN: More comprehensive TAU report on emerging threat (with search query).

 

Console Improvements and Fixes for Alerts

  • Fixed Alerts query to not delete entered query.
  • Updated Alerts dismissal logic so that only what is selected is dismissed.
  • Added Dismiss all current alerts checkbox.
  • Converted the Alerts Dismiss for future options to radio buttons.
  • Corrected Alert Details dropdown - dismissed alerts referenced all assets, even when alert was only for one device.
  • Added auditing for all Create/Update/Delete-style operations in all /appservices/ APIs.
  • The alerts page search query handling logic now matches other search pages. Any query that is entered but not submitted in the Alerts search bar will be added to the search if the facets or time window are updated.
  • When group alerts were on, the dismissal modal dismissed all the alerts associated with the threat id. This is corrected.

Endpoint Standard

 

FedRAMP Audit Logs

In accordance with FedRAMP requirements related to transmitting, processing, or storing of federal data, controls are implemented to make sure that activity within the environment can be monitored centrally, correlated with other activity, and analyzed to identify potential risks to the confidentiality, integrity, or availability of the system.

Additional Audit Logs ensure that all read operations on any significant tenant data and configuration are captured.

Example of additional audit log data:

audit_log_data.png


August 26, 2021
 
VMware Carbon Black Cloud

 

We have updated the Endpoints page to be similar to the Workloads page. The changes involve a similar location of tabs and allowing Groups to be formed in a consistent manner. There are no functional changes.


Endpoint Standard

 

Recommendations

The Recommendations feature assists in tuning your console and optimizing your environment. Carbon Black Cloud presents recommendations of policy rules that are relevant and impactful to your environment. This feature allows you to review policy rules before accepting and implementing them. We currently provide Hash and IT_Tool based recommendations, and will add more recommendation types in future releases.

NOTE: Recommendations is being deployed in a phased rollout. Not all customers will have access to Recommendations at this time.

Efficacy Improvements

Endpoint Standard customers see an increase in default prevention value. TAU provides improved detections and fixes for AMSI Threat Intelligence, Privilege Escalation, and Credential Theft.

  • Generic detections and blocking of fileless attacker toolkits executing an initial/staged payload
  • Detect GetSystem Name Pipe Privilege Escalation
  • Detect GetSystem on-disk Name Pipe Privilege Escalation
  • Detect Privilege Escalation via High Integrity Processes (UAC Bypasses)
  • Detect Scheduled Task UAC Bypass via windir Environment Variable
  • Credential Theft Detection and and blocking of malicious DLLs and executables

 


Audit and Remedation

 

Email Notification Update

To limit the transmission of sensitive information, the email notification template for query result notifications no longer includes the SQL string that the query uses. The new email notification template still includes the query name, the user that ran the query, the time the query completed, and a link to view query results.query_email.png

 


Enterprise EDR

 

The process event counts on the Process Investigate tab are sometimes inaccurate and do not match the event counts on Process Analysis. To eliminate confusion when performing threat hunting exercises, the Process Investigate tab now shows that the true event count in Process Analysis can be higher. We have appended a + and Help text to the event counts on the Processes Investigate tab. 


Workloads

 

New filters

You can filter workloads as golden images that have clones, which were created by using the VMware Horizon desktop pool.

You can filter workloads based on their signature pack status (out-of-date, up-to-date, not applicable, and not available).


Container Essentials

 

Kubernetes Workload Details - Page Redesign

With the new page design, you can now easily evaluate workload deployment status, risk severity, hardening and compliance state through a dedicated tabbed view for each use case. The new page is available on Inventory > Kubernetes > K8s workload.

 


Prevention

 

Updated Dynamic Prevention Rules

In the coming weeks, dynamic prevention rules assigned by Carbon Black will be updated for VMware Carbon Black Prevention customers. This update will fix an issue where select dynamic prevention rules were behaving incorrectly. We have fixed this issue and will be rolling it out to all Prevention customers. No action is required and the user experience will remain unchanged.


August 5, 2021
 
VMware Carbon Black Cloud

 

Vulnerability Management for Endpoints

VMware Carbon Black announces the general availability of Vulnerability Management for Endpoints. This new functionality helps you reduce the attack surface and simplify operations with prioritized vulnerability reporting and continuous visibility across your environment. Building on the earlier release of Vulnerability Management for Workloads, this new capability extends that functionality to your endpoints. This solution brings three key values to your Vulnerability Management workflows:

  • Prioritized: Leverage patented vulnerability prioritization data from Kenna Security based on CVE + real-life exploitability. Increase patching efficiency by 4x with best-in-class prioritization that helps you focus on common exploits and high-risk vulnerabilities to reduce attack surface.
  • Scanless: Alleviate the performance issues of legacy vulnerability scanners with:
    • Real-time vulnerability assessment that requires no additional data collection and analysis to be performed on your devices.
    • Leverage the existing capabilities of Carbon Black’s sensor across your environment to gather device and application inventory for vulnerability assessment.
  • Built-in: Deliver functionality natively as part of your extensible VMware Carbon Black Endpoint Protection Platform (EPP). There are no additional agents or consoles to deploy, manage, and maintain.

Full details on supported OS and sensor versions are here.

To install and administer Vulnerability Management in VMware Carbon Black Cloud, follow the instructions here.

Note:

  • This release also introduces support of Windows 7 and 10 vulnerability data to environments with VMware Carbon Black Cloud Workload Protection.
  • Accessing Vulnerabilities depends on your system configuration. If you have the Container Security feature enabled, go to Harden > Vulnerabilities. If you do not have the Container Security feature enabled, click Vulnerabilities in the left navigation pane.

Endpoint Standard

 

CB Analytics Alert ID Changes

In the V6 Alerts API response, customers viewing CB Analytics alerts after 19 August 2021 might notice that legacy_alert_id now equals id

The field legacy_alert_id used to represent an 8-character ID and differed from the standard GUID format (ie. 33bca411-77b6-4c6c-a643-ce9e7f82c742) used across all other alert types in the VMware Carbon Black Cloud. To better unify alerts, Carbon Black Cloud has aligned on the GUID format as our standard for all types of alerts in the product. 

This change should have no effect on user behavior, nor will it affect your ability to search on past alerts that use the shortened legacy_alert_id format. The field legacy_alert_id will be deprecated in a future API revision. 

For more information on this change, see the VMware Carbon Black Developer Relations blogpost.


July 26, 2021
 
VMware Carbon Black Cloud

 

Console updates

The Vulnerabilities page is updated in the following ways:

  • Under Vulnerabilities > VMs, a View by menu now displays with VMs and Vulnerabilities values. The default value is VMs.
  • V2 graphs are available by clicking Show graphs.
  • Affected Assets view has been updated.

The Investigate page is updated: the event counts (netconn, etc) displayed on the Processes tab and in the right pane represent a lower bound of the true number of events that were generated by the sensor.


 
July 16, 2021
 
VMware Carbon Black Cloud

 

Process loaded script name and hash data expanded

On the Triage Graph’s right side node panel, the process loaded script name and hash data was added, and the process information was reorganized. The process loaded script details were added to the Triage Events Table expanded information.


June 25, 2021
 
Endpoint Standard

 

Efficacy improvements

  • Added a false positive exception for macOS browsers injecting into other processes in specific situations. This is known to have affected Firefox and Thunderbird.
  • Expanded the false positive exception for certain processes writing to raw disk to include some popular programs, including RaspberryPi’s disk imager.
  • Eliminated two noisy alerts for Linux related to system utilities invoking other system utilities. The core logic has been refined to ignore some common user and/or automated behaviors.

 
Audit and Remediation

 

New recommended query

The TAU team has crafted a new recommended query that confirms if devices running Linux Kernel versions 4.4+ meet configuration requirements for Linux Sensor versions 2.10+.  The Linux eBPF Kernel Header Check query results shows which machines have kernel headers installed and thereby meet the sensor prerequisites for install noted here.

You can find the new query in the VMware Carbon Black Cloud Console by navigating to Live Query > New Query > Recommended > IT Hygiene and scrolling down to the Linux eBPF Kernel Header Check query.newquery.jpg


 
Container Essentials

 

New Kubernetes custom rule experience

Kubernetes policy is a mix of built-in and user-defined policy rules to help detect and enforce security and compliance standards throughout Kubernetes environments. With custom rules, you can utilize the VMware Carbon Black Cloud container policy engine to programmatically enforce security, compliance, or governance rules tailored to your unique use case, like workload labels, naming conventions, and more. With the new Custom Rule experience, you can easily craft a complicated query through a simple wizard using objects imported from the system, JSONPath navigator, and a preview of the findings.

You can find the new query in the VMware Carbon Black Cloud Console by navigating to Enforce > Kubernetes Policy > Rule Table > and click the Add Rule icon. Then select JSONPaths, methods, values.kubernetes.png

 


June 8, 2021
 
Workloads

 

For Workloads, two improvements are released. See Fixed Issues. 


May 27, 2021
 
Carbon Black Cloud

 

RBAC Improvements for Multi-tenant Customers

Customers and Partners in a multi-tenant configuration can assign varying levels of access to users for the org in which they were created, and in any of that org’s children. 

When switching between orgs, users can only see the orgs to which they have access.rbac 66.png

RBAC Improvements for Data Forwarder

We have separated Data Forwarder-related permissions from the Manage/View Org Information and Codes permissions into independently-assigned permissions:

  • Manage Data Forwarders lets you create, edit and delete Data Forwarders in their organization through the Event Forwarder Config API and the Settings > Data Forwarders page in the console. This permission is assigned by default to the Super Admin role.
  • View Data Forwarders lets you review the details of any Data Forwarders that are configured for your organization through the Event Forwarder Config API and the Settings > Data Forwarders page in the console. This permission is assigned by default to the System Admin and Super Admin roles.

For API consumers who want to create a custom Access Level, you will find the permission continues to be named event-forwarder.settings, and is now grouped under the Data Forwarder category.

Identity and Access Management APIs

Customers and partners can now programmatically create users and manage access with the User Management V6, Grants V2, and Roles V3 APIs.

  • User Management v6: You can create, update, and delete users, and retrieve details about the user.
  • Grants v2: You can create, update, and delete role assignments for users, or update the access level that is assigned to a custom API key token. By using the API, you can assign multiple roles to a user for a single org, set expiration dates on role assignments, and enable or un-enable role assignments.
  • Roles V3: Users can identify which roles they can assign in an org, based on their level of access.

VMware Data Retention

VMware Data Retention is extended data retention for Carbon Black Cloud endpoint products. Today, Carbon Black Cloud offers a 30-day data retention standard in endpoint products. With VMware Data Retention, we offer 60-, 90- and 180-day options for event data. 


Workloads

The enhanced search filter on the VM Workloads page allows you to filter on a more granular status of the sensor. Instead of showing only a high level status of Registered or Deregistered, the filter now shows detailed filters such as Active, Inactive, Bypass, Quarantine, Sensor out of Date, and Deregistered.

We have added a field to the VM Workload Enabled data export, which is displayed in Signature Pack Status.

You can now view the vulnerability data for virtual machine (VM) workloads that have a sensor installed, even if the appliance is not configured.


May 3, 2021
 
Carbon Black Cloud

 

To improve the user experience, we modified the VMware Carbon Black Cloud User Guide table of contents to match the left navigation pane of the VMware Carbon Black Cloud console.


Endpoint Standard

Alert Triage for additional preventions

VMware Carbon Black’s Threat Analysis Unit (TAU) delivers dynamic, high-fidelity preventions to protect against critical threats related to ransomware, credential theft, file-backed and fileless Powershell scripts, and more. These high-confidence preventions are delivered to all Endpoint Standard-enabled sensors version 3.6+ and require no customer action. To date, alert triage has been unsupported for these preventions, as was stated when they occurred:

alertdetails.png

Alert triage is now supported for these preventions. Clicking the Alert Triage button allows you to view parent, primary, child, and other related processes for an associated prevention. 

Note: Customers with a https://defense-prod05.conferdeploy.net/ console login URL will receive this update on Tuesday, May 4th.

Enhanced Enriched Events details API

The /v2/orgs/${orgKey}/enriched_events/detail_jobs API is updated. You can view detailed Enriched Event information for a given alert, including information about related processes, with one simple search query. This reduces investigation time and allows you to access the alert's associated events faster. For more information, visit the Request Details for Enriched Events section on the VMware Carbon Black Developer Network.

 


April 29, 2021
 
Container Essentials

 

VMware Carbon Black Cloud Container helps organizations reduce risk, obtain compliance, and achieve secure Kubernetes environments at scale. This solution integrates into existing DevOps processes to reduce operational complexity, and helps security teams enforce compliance, security, and governance from a single dashboard. 

This release includes Container Image Scanning and CI/CD integration capabilities to scan containers and Kubernetes configuration files early in the development lifecycle.  Therefore, vulnerabilities and misconfigurations can be addressed faster. It enables visibility into all containers that are running in production to enforce security policies, and ensures that all containers running in production have been scanned.

Documentation

Kubernetes Operator Improvements

Operators are software extensions to Kubernetes that make use of custom resources to configure the Carbon Black Cloud Kubernetes agents. Operators follow Kubernetes principles — in particular the control loop — to install and manage data plane components that the Carbon Black Cloud requires.

The Kubernetes operator in Carbon Black Cloud is a go-based operator, using the latest operator-sdk v1.5.0. The refactoring introduces various improvements and bug fixes. 

Note: Existing installations of Carbon Black Cloud Kubernetes cluster agents cannot be upgraded and should be reinstalled. For more information, see the following procedure.

Upgrade an existing Kubernetes Cluster Agent

  1. Uninstall the existing Kubernetes cluster agent setup.
    1. Delete the data plane by using the following command: 
      kubectl delete --wait -n octarine-dataplane octarines.operator.octarinesec.com octarine 
      kubectl delete -f https://setup.dev.containers.carbonblack.io/operator-v2.0.1
      This command removes the Kubernetes agent from the cluster. The cluster's workloads are not available in Carbon Black Cloud and policies are not enforced until the agent is re-installed.
    2. Delete the Kubernetes cluster agent from the Carbon Black Cloud console. For details, see Delete A Kubernetes Cluster.
  2. Set up a new Kubernetes cluster agent. For details, see Set up a Kubernetes Cluster.

April 26, 2021
 
Release Calendar

The following table provides a general timeline for when you can expect to see these changes in the VMware Carbon Black Cloud console. Please reference the URL that appears in your browser when you sign into the Carbon Black Cloud console.

Login URL ETA
https://dashboard.confer.net/ April 19
https://defense.conferdeploy.net April 20
https://defense-prodsyd.conferdeploy.net/ April 19
https://defense-prod05.conferdeploy.net April 20
https://defense-eu.conferdeploy.net April 20
https://defense-prodnrt.conferdeploy.net/ April 20

 

Note: The Carbon Black Cloud user interface is updated on April 26, 2021.


VMware Carbon Black Cloud
 
New VMware Carbon Black Cloud Dashboard
 

In security, every moment matters. You and your team need to find the information you need quickly and easily, right when you need it. We’ve introduced a new and improved VMware Carbon Black Cloud dashboard to increase your efficiency and simplify your workflows. 

This change affects nearly all VMware Carbon Black Cloud customers who have endpoint and/or workload protection, except for customers who only have Audit and Remediation.

A refreshed look and feel makes the dashboard more visually appealing. Information is now easier to view and understand. dashboard.png

New functionality

  • To help you conduct faster investigations, all widgets are clickable and automatically filter based on your selection. For example, if you click Linux OS vulnerabilities in the Critical Vulnerabilities widget, it takes you to the Vulnerability page and filters the content by Linux OS. 
  • We have introduced quick and easy PDF reporting. With one click, you can create a PDF of the widgets and their associated graphs to share with your extended team.

New widgets

  • Alerts: See a trending graph of alerts by 1, 3, or 7 days, so you can easily identify an event and see when alerts have increased or decreased.alerts widget.png

     

  • VM Workloads Overview (workload customers): Track the status of virtual machines.workloads widget.png

     

  • Critical Vulnerabilities (workload customers): Easily spot a breakdown of the most critical workload vulnerabilities in your organization, filtered by operating system.critical vulnerabilities widget.png

     

  • Assets with Critical Vulnerabilities (workload customers): Easily spot assets that are affected by critical workload vulnerabilities.assets with critical vulnerabilities widget.png

     

 

Upgrades to existing widgets

  • Top Alerted Devices renamed to Top Alerted Assets (endpoint customers): See the endpoint devices that have the top alerts.top alerted assets widget.png

     

  • Threat Reports: See if the latest threats identified by the VMware Carbon Black threat team exist in your environment. One click takes you to the Investigate page with the pre-populated query to search for the attack, thereby enabling faster investigations.threat reports widget.png

     

  • Prevented Malware replaces Attacks Stopped: See all of the malware stopped in your environment.prevented malware widget.png

     

Retired widgets

Based on customer feedback, we have retired the Attacks by Vector, Attack Stages, Potentially Suspicious Activity, and VMware AppDefense widgets.

What isn't changing?

Existing functionality including filters, the ability to configure your personal dashboard, widget manipulation, and Export to CSV is retained.

Updated Live Response with granular RBAC

Carbon Black Cloud Live Response has been overhauled to help increase security and reduce integration friction.

With this update, you have four permission levels for improved least-privileged access to Live Response:

  1. View Live Response - Administrators can interact, but cannot make any changes to the endpoint.
  2. Use Live Response - Administrators can interact and make any changes to the endpoint except for those actions that are separated into the next two permission levels.
  3. Execute Live Response Processes - Administrators can launch any process.
  4. Dump Memory and Remove Live Response - Administrators can perform a full memory dump and can permanently un-enable Live Response.

The Live Response v6 API is now available. The Live Response v6 API uses the Custom API Key type. Modern integrations can use a single Custom API key across a larger number of the Carbon Black Cloud APIs.

The commands exec, execfg, and memdump are separated into two new permission levels to provide added security granularity. All default roles and custom roles continue to have the same access to all Live Response commands except one: by default, the Level 2 Analyst role no longer has the permissions to run these commands.

For more information, see Live Response API releasing v6: now with granular RBAC! on the Carbon Black Cloud User Exchange.

RBAC improvements for Workload Management

Image Scanning permissions: Scan Workload Image and Manage Image Vulnerability Exceptions let you create custom access levels to generate API keys for different use cases (for example, scan images in the cloud).

RBAC improvements for VMware Workspace ONE Intelligence

Carbon Black Cloud and Workspace ONE Intelligence have updated the existing integration to be more seamless, thereby building towards VMware’s vision of Intrinsic Security. 

A new Access Level named VMware Workspace ONE Intelligence can be used to generate API Keys that enable Workspace ONE Intelligence to ingest richer Carbon Black Cloud telemetry and to remediate incidents through SOAR workflows.

Data Forwarder Configuration User Interface

The Carbon Black Cloud Data Forwarder (previously known as the Event Forwarder) now offers a Data Forwarder settings page. This page lets you easily add and configure data forwarders that you previously had to set up using the Event Forwarder Configuration API.

  • The Data Forwarder page eliminates the need to create a custom API Access Level and a custom API Key.
  • Integrated health check access confirms that the AWS S3 bucket is ready to start receiving forwarded Carbon Black Cloud data, whether you enable the forwarder immediately or not.
  • You must set up and configure the AWS S3 bucket to store the forwarded events, including applying the appropriate Bucket Policy.
  • These steps are documented in the Data Forwarder Setup Guide.

You can find this page under Settings > Data Forwarder.

data forwarder.png

To set up a new Forwarder, click the Add Forwarder button and configure the parameters:add forwarder.png


Endpoint Standard

 

Efficacy improvements

  • Added better TTP tagging for rundll32.exe turning off registry keys that control logging of certain behavior.
  • False positive reductions for CCleaner, LogMeIn, Kaseya, and Firefox performing behaviors that are normally suspicious.

Container Essentials

 

A new permission, View Image and Manage Image Exceptions, provides developers with limited access to container image information and vulnerability exceptions. A new role called Kubernetes Security Developer has been added, together with the super-admin role adjustment to include the newly added permission.

Carbon Black Cloud’s upcoming Container Image Scanning capability introduces a new command-line interface (CLI) utility for customers to interact with the new suite of features. To support the utility’s interaction with Carbon Black Cloud, a new Access Level named Container Image Command Line Interface generates API keys that enable it to scan container images and validate them against customizable security policies.


April 1, 2021
 
Workloads
 

The VMware Carbon Black Cloud Workload appliance 1.0.2 is a maintenance release containing security updates and improvements based on customer feedback.

Security Advisory (VMSA-2021-0005)

The VMware Carbon Black Cloud Workload appliance 1.0.2 update addresses a security vulnerability where a URL on the administrative interface could be manipulated to bypass authentication.

For more information about this release, see VMware Carbon Black Cloud Workload 1.0.2 Release Notes.


March 18, 2021
 
Release calendar

The following table provides a general timeline for when you can expect to see these changes in the VMware Carbon Black Cloud console. Please reference the URL that appears in your browser when you sign into the Carbon Black Cloud console.

Login URL ETA
https://dashboard.confer.net/ March 17
https://defense.conferdeploy.net March 18
https://defense-prodsyd.conferdeploy.net/ March 17
https://defense-prod05.conferdeploy.net March 17
https://defense-eu.conferdeploy.net March 18
https://defense-prodnrt.conferdeploy.net/ March 18

 


Carbon Black Cloud
 
Improved Carbon Black Cloud documentation experience
 
Carbon Black Cloud product documentation is now available on docs.vmware.com in HTML and .pdf. In-product links to the User Guide and the Sensor Installation Guide open in a new tab on docs.vmware.com. You can select specific articles and documents to build your own personal library and easily provide feedback on individual articles. Learn more.
 
Detail message setting available in one location
 
On the Policies page, we renamed UI: Sensor Detail message to Display sensor message in system tray and consolidated the sensor settings from the General and Sensor tabs into a single location on the Sensor tab. You can enable and optionally customize the message that is displayed in an endpoint’s system tray when a notification is generated.detailed message.png

 


Carbon Black Cloud
 
Efficacy improvements
 
  • Linux: new detections for cryptojacking behavior where malware would attempt to quietly mine cryptocurrency, particularly Monero, on endpoints.
  • Linux: new detections for fileless attacks, refocusing from a broad approach to specific suspicious behaviors, such as encoded commands and executing from command line arguments.

Container Essentials
 
New Kubernetes Security DevOps (View Only) Role
 
A new Kubernetes Security DevOps Role (View Only) includes the existing View Kubernetes security permission to support limited access to the containers and Kubernetes workloads security.
kubernetes view only role.png

 

Improved Kubernetes Workload policy exceptions
 

We added the ability to dynamically exclude Kubernetes workloads from policy rules using an exact or partial match for the workload name. With Policy Dynamic Exception, an exception can apply to all instances of a workload within the selected scope. This supports policies per application (namespaces) that are deployed across many clusters like Kube-system.container.png

 


March 2, 2021
 
Release calendar

The following table provides a general timeline for when you can expect to see these changes in the VMware Carbon Black Cloud console. Please reference the URL that appears in your browser when you sign into the Carbon Black Cloud console.

Login URL ETA
https://dashboard.confer.net/ March 2
https://defense.conferdeploy.net March 3
https://defense-prodsyd.conferdeploy.net/ March 2
https://defense-prod05.conferdeploy.net March 3
https://defense-eu.conferdeploy.net March 3
https://defense-prodnrt.conferdeploy.net/ March 3

 


Carbon Black Cloud
 
Voice of the customer
 
Idea Central in the Carbon Black User Exchange was the primary tool for feature request submissions. This was depreciated on February 22, 2021, and a link to the Voice of the Customer space takes its place. Instructions on how to use the Voice of the Customer page are linked in the former Idea Central location.
The Voice of the Customer process for Carbon Black Cloud feature requests has the following effects:
 
  • Increase customer visibility for the top requested features.
  • Communicate updates regularly on requested features to interested customers.
  • Increase visibility into requests we’ve chosen to archive and why.
  • Allow customers to weigh in on items outside of highly requested items.

The Voice of the Customer page creates an improved forum for customers to track progress on features that are in development. It provides additional opportunities for customers to provide feedback during development.


Endpoint Standard
 
Unknown binary analysis is enabled by default for new customers in Standard and Advanced policies
 
Note: This policy change applies to new customers only. No policy settings of existing customers have been changed.
 
The Submit unknown binaries for analysis by Avira feature on the Policies > Sensor page is now enabled by default for new Endpoint Standard organizations. Submitting unknown binaries improves prevention efficacy against new forms of malware by allowing for additional automated threat analysis and reputation context. When enabled, binaries with a NOT_LISTED reputation are submitted to Avira for cloud analysis. The file must be a portable executable (such as a .exe or .dll). Document files, such as PDFs, text files, pictures, spreadsheets, and other personal files are never uploaded. Files are analyzed automatically without any human interaction and Avira does not share uploaded unknown binaries with any third-parties. You can opt out at any time.
 

For existing customers: 

VMware Carbon Black strongly recommends that you enable this feature to ensure your organization is protected against new malware and other potentially harmful unknown binaries. This feature significantly assists in classifying new malware and increases reputation efficacy. Customers who want to prevent uploads from sensitive file paths or locations can do so in Policies > Prevention > Uploads.

Efficacy improvements
 
  • Added new Linux detections, including some detections for the Shellshock bug family.
  • Refined many Solarwinds-related detections based on customer false positives.
  • Tuned down some of the monitored/observed alerts for Linux to reduce noise.
  • New prevention capabilities focusing on Emotet document TTPs. This prevention rule targets Office documents that contain macros that leverage WMI to evade process lineage detection and prevention rules. Note that this rule requires Windows 10 and Office 365/2019 and later versions.
  • New Detection/Prevention heuristics for the following:
    • Behaviors related to tools that can dump the memory of running processes to disk via scripting languages like PowerShell, and known keylogging capabilities that can be run in PowerShell.
    • Targeting highly suspect ransomware behaviors that can be executed with scripting languages like PowerShell.

 


Enterprise EDR
 
  • On the Watchlists page, you can now differentiate between watchlist types (third party feeds or custom watchlists) at a glance. Sorting watchlists by type is also added.
  • To improve page performance, the Investigate and Process Analysis pages now include an exponential backoff when retrieving search results. The backoff timing is calibrated to align with average search completion times.

February 8, 2021
 
January 27, 2021
 
Endpoint Standard
 

The Reputation Overrides API is now available for Endpoint Standard customers. This API enables customers and partners to automate the management of hashes, certificates and IT Tools to their organization's Allow List or Banned List:

  • The operations you perform with this API are reflected in the Reputations page in the Carbon Black Cloud console, and in the Deny/Block, Terminate, or Allow reactions performed by Endpoint Standard sensors.
  • You can add, edit, delete, search, and export reputation override records for your organization.
  • Requirements: this API is currently supported for Endpoint Standard customers.
    • In the future, this API will be supported for customers who have Enterprise EDR but not Endpoint Standard. Until then, Enterprise EDR-only customers can manage their organization's reputation overrides; however, such reputation override configurations will have no effect on CBC sensor enforcement of banned hashes.

Notes:

  • The values used on request and response for the sha256 field are currently named BLACK_LIST and WHITE_LIST; they will be updated later this year in accordance with our Eliminating Offensive Terminology announcement in 2020.
  • This API will be integrated soon into the Reputation page on the Carbon Black Cloud console.
  • See API documentation on Developer Network.

January 25, 2021
 
Release calendar

The following table provides a general timeline for when you can expect to see these changes in the VMware Carbon Black Cloud console. Please reference the URL that appears in your browser when you sign into the Carbon Black Cloud console.

Login URL ETA
https://dashboard.confer.net/ January 25
https://defense.conferdeploy.net January 26
https://defense-prodsyd.conferdeploy.net/ January 25
https://defense-prod05.conferdeploy.net January 26
https://defense-eu.conferdeploy.net January 26
https://defense-prodnrt.conferdeploy.net/ January 26

 

Endpoint Standard
 
Efficacy improvements
 
Credential Access Preventions
 
In early January, Endpoint Standard customers received new default behavioral preventions associated with Credential Access. The focus for this release was living off the land techniques that could access the memory of the lsass process on Windows. This is a common in-memory password storage location targeted by malicious actors.
 
You must upgrade to the Windows 3.6 sensor version to take advantage of this added prevention efficacy due to new technology introduced in that sensor version.
 
SUNBURST updates
 
VMware Carbon Black has been actively monitoring all information related to the FireEye/Solarwinds security incident. We are actively deploying new adjustments to the Carbon Black Cloud and will continue to make additional updates as information becomes available. Efficacy improvements are analyzed and deployed in real-time as information is received and analyzed; therefore, this section will primarily focus on improvements that have already been deployed. Refer to the TAU-TINs for more detailed information about these incidents.

 


December 22, 2020
 
VMware Carbon Black Cloud Container Essentials
 

VMware Carbon Black announces the general availability of VMware Carbon Black Cloud Container Essentials.

VMware Carbon Black Container Essentials is a container security product that protects workloads that are running on multiple Kubernetes clusters, either on-premises or in the public cloud. It provides continuous visibility, security, and compliance for the full lifecycle from CI/CD to production. It helps you to understand the security posture of workloads running in Kubernetes, prioritizes the risk associated with each workload, and helps you resolve misconfigurations. You can use policies and predefined policy templates to harden clusters and prevent deviation from a secure configuration.

  • Dashboard - Provides visibility into your security posture across multiple clusters and namespaces.
  • Compliance & Policy Automation - Create automated policies to enforce secure configuration and to ensure compliance with organizational requirements and industry standards such as CIS benchmarking. Detect and prevent misconfiguration from build to deployment.
  • Prioritized Risk Assessment - Prioritize the most severe risks to your Kubernetes environment to detect and prevent misconfigurations before containers are deployed. Scan Kubernetes manifests at continuous integration (CI/CD) and on Kubernetes clusters.
  • Governance & Enforcement - Ensure your Kubernetes configuration integrity through control and visibility of workloads that are deployed to your clusters. Customized policies enforce secure configuration by blocking or alerting on exceptions.

User documentation


December 16, 2020
 
Release calendar

The following table provides a general timeline for when you can expect to see these changes in the VMware Carbon Black Cloud console. Please reference the URL that appears in your browser when you sign into the Carbon Black Cloud console.

Login URL ETA
https://dashboard.confer.net/ December 16
https://defense.conferdeploy.net December 17
https://defense-prodsyd.conferdeploy.net/ December 16
https://defense-prod05.conferdeploy.net December 17
https://defense-eu.conferdeploy.net December 17
https://defense-prodnrt.conferdeploy.net/ December 17

 

Carbon Black Cloud
 
Sensor management - expanded group criteria
 
Sensor group criteria are expanded to include specific OS versions and CIDR notation for defining subnets is now supported.
 
OS versions
 
Sensor groups can now be defined based on a specific operating system version. The operating system versions included in the drop-down menus include supported OS versions.WindowsOSVersions.JPG

 

CIDR notation support

Subnet criteria can now be defined using CIDR notation. The Console accepts CIDR notation ranges from 1 to 24 bits.cidr.png

 

Quality improvements for partners and multi-tenant customers

 

  • When creating a user in the Carbon Black Cloud, the product now checks to make sure that the email address is unique across the entire Carbon Black Cloud environment.
  • Partners and multi-tenant customers can create email notification rules for themselves in any org to which they have access by going to Settings > Notifications in the org where they want to create the rule.

Alert search API improvements

Time criteria filters now support ranges based on months using the unit M.


Endpoint Standard
 
Efficacy improvements
 
  • Added new detections, including one related to Reg.exe attempting to export the Security Account Manager registry file, and one related to PowerShell executing certain encoded commands.
  • TTPs from the MITRE Framework v7.0 update are added to existing detections, and a few new conditions are added for MITRE TTPs.
  • Various false positive reductions have been implemented, including some for Linux scripts executing common IT tasks.

Audit and Remediation
 
Getting Started widget experience
 
We have added content to the existing Getting Started widget on the Dashboard to help onboard users for Audit and Remediation. This content guides users through how to run an ad-hoc live query, schedule a query, view query results, and utilize the Live Response functionality.livequerygettingstarted.png

 


Enterprise EDR
 
  • Adds childproc_cmdline to childproc events in the Process Analysis events table.
  • Updates IP address column headers on the Networks subtab on the Investigate page. Adds a new Direction column. Adds the ability to display IPv6 addresses in existing columns.
  • Adds the ability to configure the time window for viewing watchlist hits on the Watchlists page (previously fixed to 3 days). Moves watchlist sorting controls into headers, which is identical to how other tables work.

December 7, 2020

 

Workloads
 
New roles and permissions
 
A new permission, Manage Kubernetes security, supports the upcoming Container Security capability. A new role, Kubernetes Security DevOps has been added, together with the super-admin role adjustment to include the newly added permission.
 
The new permission and roles will help Kubernetes operators secure their environment.Roles.jpg

 


November 30, 2020

 

Endpoint Standard
 
VMware Carbon Black announces the general availability of Device Control for USB storage devices in Endpoint Standard. This new functionality lets you harden your security posture, control authorized usage, and prevent malware infiltration from USB storage devices. You can now view, manage, approve, and implement blocking policies for USB storage devices that are connected to Windows endpoints. You will have access to the following functionality:
 
  • Policy-based USB Device Blocking: Gain an additional layer of protection and strengthen overall security posture with the ability to block read, write, and execute actions on a per-policy basis.
  • Flexible USB Device Approved List: Enable designated external devices with read/write/execute permissions, including flexible approval options for enabling distinct USB devices, or enabling broader manufacturer- or product-based permissions across your environment.
  • Alert on Block: Receive notifications of USB device blocks in your environment, and easily approve devices directly from the alert. Users also receive notifications when attempting to use blocked devices, thereby educating them on company policy.
  • USB Device Inventory: Gain visibility into all supported USB devices connected to your network with the ability to view, filter, search, and approve USB devices from the Inventory page.

You must be running the latest 3.6.0.1897 Windows sensor version or greater, and have an administrator role with Device Control permissions. Legacy roles such as Live Response Admin are not supported and do not have access to Device Control. Please see the following KB article for questions: Which Roles Are Required For Device Control?. See also:

 

November 11, 2020

 

Release calendar

The following table provides a general timeline for when you can expect to see these changes in the VMware Carbon Black Cloud console. Please reference the URL that appears in your browser when you sign into the Carbon Black Cloud console.

Login URL ETA
https://dashboard.confer.net/ November 11
https://defense.conferdeploy.net November 11
https://defense-prodsyd.conferdeploy.net/ November 11
https://defense-prod05.conferdeploy.net November 12
https://defense-eu.conferdeploy.net November 12
https://defense-prodnrt.conferdeploy.net/ November 12

 


Carbon Black Cloud
 
Updated console
 

We've made some design changes to update the look and feel of the VMware Carbon Black Cloud console and provide a more seamless experience across solutions. Next time you sign in, you’ll notice:

An updated Sign-in page

Updated branding in the top banner

Updated navigation and menu styles

These changes will be reflected in all of our solutions including Endpoint Standard, Enterprise EDR, and Audit and Remediation. These are solely visual changes and do not affect the functionality of the pages.screencap1for60rn.png

screencap2for60rn.png


Endpoint Standard 

Efficacy improvements

Fixed a bug where the Endpoint Standard sensor was correctly blocking malware from running and the cloud detection analytics were correctly generating an alert, but the alert did not have the correct ThreatCategory of KNOWN_MALWARE.

Reduced false positives for some Windows email clients spawning certain target processes.

More TTPs from the MITRE Framework v7.0 update have been added to existing detections.


November 9, 2020

 

Carbon Black Cloud 
 

Investigate page update

We have added Alert ID and Alert Category filters to the Enriched Events tab on the Investigate page.

Coming in the next release - Visual changes to the Carbon Black Cloud

In the next release, the VMware Carbon Black Cloud console will be updated to look and feel like the VMware family of products. You’ll notice:
 

an updated Sign in page

updated branding in the top banner

updated navigation and menu styles

These changes will be reflected in all of our Carbon Black Cloud solutions, including Endpoint Standard, Enterprise EDR, and Audit and Remediation. These are solely visual changes and do not affect the functionality of Carbon Black Cloud.

November 4, 2020

 

Audit and Remediation 
 

osquery version update (v4.5.0)

The syntax validator on the SQL tab and the link to the osquery schema now uses osquery schema version 4.5.0, which aligns with the schema versions released in the latest sensors.

This version of osquery adds support for a new non-evented table to query the Windows event log table. This version also includes Windows support for the existing yara table and no longer requires an on-disk signature to be present.

Additional recommended queries

Eleven new recommended queries have been crafted by our Threat Analysis Unit (TAU) team, utilizing new tables from the new osquery version (4.5.0) as well as a few queries to help detect and gather information related to the recent vulnerability CVE-2020-1472.newQueries.png

Go to New Query > Recommended to run or schedule these new queries.


October 29, 2020

 

VMware Carbon Black Cloud™ Workload 

 

VMware Carbon Black is pleased to announce the general availability of VMware Carbon Black Cloud™ Workload. VMware Carbon Black Cloud Workload is a data center security product that protects workloads running in your vSphere environment. It includes core capabilities such as agentless deployment and lifecycle management, vSphere workload inventory, and vulnerability assessment. It also includes prevention, detection and response capabilities such as Audit and Remediation, Next-Gen Antivirus (NGAV), real-time threat hunting, and Endpoint Detection and Response (EDR). This solution provides the following benefits:

Integrates with VMware vSphere to simplify operations for IT and security teams 

Provides risk-prioritized vulnerability assessment 

Reduces the attack surface and hardens workloads

Blocks both known and unknown attacks - including malware, fileless, and living-off-the-land attacks 

Increases visibility across your environment

For more information, please see VMware Carbon Black Cloud™ Workload and VMware Carbon Black Cloud Workload Release Notes. 


October 26, 2020

 

Release calendar

The following table provides a general timeline for when you can expect to see these changes in the VMware Carbon Black Cloud console. Please reference the URL that appears in your browser when you sign into the Carbon Black Cloud console.

Login URL ETA
https://dashboard.confer.net/ October 26
https://defense.conferdeploy.net October 26
https://defense-prod05.conferdeploy.net October 26
https://defense-eu.conferdeploy.net October 26
https://defense-prodnrt.conferdeploy.net/ October 26

 

Carbon Black Cloud
 
Policy page update
 

The policy page was recently updated to accommodate paths that contain commas. Therefore, commas are no longer used as path separators in the text box. New lines will be used instead.


October 14, 2020

 

Release calendar

The following table provides a general timeline for when you can expect to see these changes in the VMware Carbon Black Cloud console. Please reference the URL that appears in your browser when you sign into the Carbon Black Cloud console.

Login URL ETA
https://dashboard.confer.net/ October 14
https://defense.conferdeploy.net October 15
https://defense-prod05.conferdeploy.net October 15
https://defense-eu.conferdeploy.net October 15
https://defense-prodnrt.conferdeploy.net/ October 15

 

Carbon Black Cloud
 
Event Forwarder filtering
 

Newly added filters enable defined datasets to be exported and integrated into other systems and tools. By using these filters, you can:

Reduce the volume of data that is transported through the Event Forwarder to your S3 bucket.

Be more prescriptive about the context that you are pulling in from the Carbon Black Cloud console.

Create multiple Event Forwarders to achieve more advanced use cases.

Carbon Black Cloud customers who are using the Event Forwarder now have additional capabilities to filter the endpoint.event dataset. Users of the Event Forwarder can filter on Event Origin, Event Type, Alert ID and/or Sensor Action. For complete documentation, see the Carbon Black Cloud Event Forwarder page on the VMware Carbon Black Developer Network.

Platform search API

The Platform Search API and documentation are now available. Major changes include the following:

Expanding support of our SaaS-native Search API that is used in Enterprise EDR to include Endpoint Standard customers who are on the Unified Platform Experience.

Adding Developer Network documentation in the Platform APIs category. This refreshed and expanded documentation covers:

Expanded documentation of all request and response fields for each endpoint in the Processes and Enriched Events categories, as well as rich examples.

Expanded documentation for every available search field, specifying which fields are searchable, which fields can be returned from specific API endpoints, the complete list of possible values for each enum field, and which sensor versions and products are required (for those fields that are limited to specific products or sensors).

Preview for three new additions to the Platform Search API:

Process Details — returns all available data about one or more specified processes on your managed assets.

Enriched Event Details — returns all available data about one or more specified events on your managed assets.

V2 of the Summary endpoint — improved fidelity of returned data that includes the ability to narrow your request to specific time ranges.

MITRE TID mapping updates
 

MITRE officially released version 7 of their ATT&CK Framework in July 2020, which included support for sub-techniques. Our threat research team has been working diligently to update our in-product mappings to this new format, so that organizations using MITRE can easily map events in their Carbon Black Cloud solutions to the updated framework. We are happy to announce that the following products are now mapped to these new MITRE ATT&CK technique IDs:

Enterprise EDR

Endpoint Standard

For more context from MITRE on why this change was necessary, exact details of the changes, and a comprehensive definition of sub-techniques, see the following detailed blog post from the MITRE ATT&CK team:  https://medium.com/mitre-attack/attack-with-sub-techniques-is-now-just-attack-8fc20997d8de

Retention policy change
 

Updated October 20, 2020

A scheduled config change was released to update our retention policy for notification data downloaded using the API endpoint /integrationServices/v3/notifications

Notifications provide a queue of recent alerts; to ensure continued reliability and scale, the Notifications will now age out after one week. Customers using this endpoint must poll frequently enough to retrieve their notifications within that window, or utilize one of the other mechanisms available to retrieve this data.

Use the Event Forwarder to stream alerts to your own S3 bucket, where you can control retention.

Use the Alerts v6 API to search up to 180 days of historical alert data.

See the following:

 
developer.carbonblack.com
Partner Portal

Endpoint Standard

 
Efficacy improvements
 

This section of the release notes highlights enhancements that Carbon Black is making to prevention policies. These proactively strengthen our defenses based on recent threat intelligence, and deliver a better user and product experience.

In this release, we’ve made several updates to our detection/alerting processes to reduce the number of false positive alerts that standard business applications and processes generate. These changes should reduce the number of alerts that you receive, thereby allowing you to focus your security resources on priority threats. These updates include improved analytics logic to reduce alert volume that is associated with frequent, benign behaviors from the following:

IT tools that are commonly leveraged on the Windows operating system.

Remote support software from certain hardware vendors.

Software that simplifies non-persistent (VDI) Windows computing environments.


October 12, 2020

 

Enterprise EDR
 
Individual Investigate links for each query in a Watchlist IOC
 

It is possible (although not recommended) to create a single IOC in a Watchlist Report that contains multiple comma-separated queries.

The Watchlist Report page previously provided one Investigate link that searched on the first query. This page will now separate out the queries in a single IOC and provide an Investigate button for each query.

For example:Multi-query IOC.png

 


September 28, 2020

 

Enterprise EDR
 
New proxy connection data
 

This feature is available for Carbon Black Cloud Windows sensors version 3.6 or later.

Where an unencrypted HTTP proxy is explicitly configured on a Windows endpoint, two additional sets of data appear on the Process Analysis page:

The IP address and port of the intermediary device (proxy server)

Subsequent netconn connections to proxied destinations

In the following example, the first event is a traditional netconn event type, followed by proxied requests that are routed through the HTTP intermediary. These are classified as netconn_proxy event types.Netconn_proxy events.png

Note: This mechanism does not always detect a proxy server, but will sometimes detect another form of HTTP-intercepting intermediary network device.

This reporting mechanism interprets specific HTTP headers to report new data when certain combinations of httpRequest and httpHost headers are detected; that is, only when the httpHost header is populated AND only when the httpRequest is an absolute URI.

For example, "httpRequest": "GET / HTTP/1.1" is reported as a traditional netconn. However, "httpRequest": "GET https://carbonblack.com HTTP/1.1" will now be reported using the new mechanism.

Support does not extend to encrypted proxy servers (e.g. proxy servers that use the HTTPS protocol), or to transparent proxies (devices that transparently redirect requests to external destinations).

New search fields
 

The following fields are now available for searching on the Process Analysis page search bar:

netconn_proxy_port

netconn_proxy_ipv4

netconn_proxy_ipv6

netconn_proxy_domain

The netconn_proxy_domain field is also returned in the /events/{process_guid}/_search response when reported by the Windows 3.6 sensor. 


September 21, 2020

 

Release calendar

The following table provides a general timeline for when you can expect to see these changes in the VMware Carbon Black Cloud console. Please reference the URL that appears in your browser when you sign into the Carbon Black Cloud console.

Login URL ETA
https://dashboard.confer.net/ September 21
https://defense.conferdeploy.net September 22
https://defense-prod05.conferdeploy.net September 22
https://defense-eu.conferdeploy.net September 22
https://defense-prodnrt.conferdeploy.net/ September 22
 
Filter alert searches by last_update_time
 

API users can now filter alert searches by last_update_time. New integrations with the alerts API can take advantage of this filtering option to query alerts within a given time range. The last_update_time represents when the alert is made available to the console and API, and is a reliable way to capture all alerts in the system.

 

August 31, 2020

 

Carbon Black Cloud
 
Updated training URL
 

VMware Carbon Black Training is migrating to VMware systems to provide a consistent education experience for all VMware customers, partners, and employees. We are happy to bring you the VMWare Carbon Black Cloud Fundamentals course delivered through the VMware Learning Zone. The VMware Learning Zone is your single source for digital training from VMware. 24/7 access to training delivered by top VMware experts and Certified Instructors lets you learn when, where, and how you want. Creating a free basic account grants you access to the VMware Carbon Black Cloud Fundamentals along with many additional VMware courses.

Click Training in the Help menu to go to the VMware on-demand learning site: https://vmwarelearningzone.vmware.com/oltpublish/site/program.do?dispatch=showCourseSession&id=1da8e813-c2c4-11ea-9f48-0cc47adeb5f8. 


 

Endpoint Standard
 
New search fields enabled with the Windows 3.6 sensor
 

The following search fields have been added only for Endpoint Standard customers who have migrated to the new Unified Platform Experience

The new search fields require the Windows 3.6 sensor or later to generate the underlying data. These fields are searchable on the Investigate page (and the related Enriched Events search API endpoints), the Process Analysis page, and the related Events search API endpoint):

scriptload_content - Deobfuscated script content loaded from the filesystem at launch of the process. Can be string, binary or raw executable image. Compare with fileless_scriptload_cmdline, process_loaded_script_name. Tokenized. Requires Windows 10/Server version 1703 or later (see https://community.carbonblack.com/t5/Knowledge-Base/Enterprise-EDR-What-Version-of-the-Sensor-Supports-AMSI/ta-p/89882).

scriptload_content_length - Size in number of characters of the deobfuscated script content loaded from the filesystem. Compare with fileless_scriptload_cmdline_length. Requires Windows 10/Server version 1703 or later (see https://community.carbonblack.com/t5/Knowledge-Base/Enterprise-EDR-What-Version-of-the-Sensor-Supports-AMSI/ta-p/89882).

AMSI Prevention and visibility 

VMware Carbon Black Cloud has extended its default prevention capabilities for script-based Windows attacks, built on Microsoft Anti-Malware Scan Interface (AMSI). The extension of the AMSI integration expands on existing PowerShell preventions at a base prevention layer. It adds protection to all Endpoint Standard customers who are running the Windows 3.6 sensor.

This release includes the ability for the sensor to dynamically leverage AMSI metadata to define and configure prevention logic. These updated high-fidelity prevention rules are crafted by VMware Carbon Black's Threat Analysis Unit to include frequently used off-the-shelf attacker frameworks that are regularly seen in script-based attacks.

As a result of these new prevention rules on Windows 3.6 sensors and above, a user in the console might see an alert that reads:

The application [name] ran a script that attempted to execute content identified as known malware. The script contained an attacker toolkit. A Deny policy action was applied.

Endpoint Standard customers on the new Unified Platform Experience 

Alert Triage for these alerts is not supported. To view additional alert details:

Endpoint Standard customers on the Unified Platform Experience should use the Investigate page.

Endpoint Standard + Enterprise EDR customers should use the Investigate or Process Analysis page.

Endpoint Standard customers not on the Unified Platform Experience

Investigate, Process Analysis, and Alert Triage are not supported on these alerts until you move to the Unified Platform Experience.

For more information on the Unified Platform Experience, see this post.

Full exposure of PowerShell scripts

We are releasing a new feature to help you better understand PowerShell executions. By using a program analysis of PowerShell script content, we can translate obfuscated content that is commonly seen in malicious scripts into an easy-to-read and understandable format. You can quickly translate the exact script contents in the Investigate page. Click the translate button to see the entire decoded script together with an assigned risk score.Process click button.png

The VMware Carbon Black Cloud console has also added improved readability of these scripts through syntax highlighting. The highlighting makes it easier to scan for string content versus PowerShell cmdlets and function calls.

This feature is available anywhere that a PowerShell command line is visible in the console.


Enterprise EDR

 
New search fields enabled with the Windows 3.6 sensor
 

The following search fields have been added for Enterprise EDR customers, all of which require the Windows 3.6 sensor to generate the underlying data. These fields are searchable on the Investigate page (and in the related Processes and Enriched Events search API endpoints) but are not returned or displayed:

netconn_proxy_domain - Domain name (FQDN) associated with the remote side of an intermediary HTTP network device, usually a proxy server. Tokenized. 

netconn_proxy_ipv4 - IPv4 address of the remote side of an intermediary HTTP network device, usually a proxy server. Stored as an integer, not as dotted decimal. 

netconn_proxy_ipv6 - IPv6 address of the remote side of an intermediary HTTP network device, usually a proxy server. Stored as a string without octet-separating colon characters. 

netconn_proxy_port - TCP or UDP port used by the remote side of an intermediary HTTP network device, usually a proxy server.


August 21, 2020

 

Enterprise EDR
 
Upgraded Search Experience - retired message
 

Now that you have been introduced to the upgraded Search Experience, we have removed that notice from the Investigate page.Search experience message.png

 


August 17, 2020

 

Release calendar

The following table provides a general timeline for when you can expect to see these changes in the VMware Carbon Black Cloud console. Please reference the URL that appears in your browser when you sign into the Carbon Black Cloud console.

Login URL ETA
https://dashboard.confer.net/ August 17
https://defense.conferdeploy.net August 18
https://defense-prod05.conferdeploy.net August 18
https://defense-eu.conferdeploy.net August 18
https://defense-prodnrt.conferdeploy.net/ August 18
https://defense-prodsyd.conferdeploy.net/ August 17

Carbon Black Cloud

Update up to 10,000 sensors at a time

On the Endpoints page, select at least one device and then click Take Action > Update sensors. A radio button titled Update all devices matching search allows you to target up to 10,000 sensors for a single update.

Update 10k sensors.png

Sensor update status

On the Endpoints page, the Sensor Update Status tab displays the most recent 200 sensor updates.Sensor Update Status 1.png

In the Actions column of the Sensor Update Status tab, you can stop incomplete sensor update processes, including Pending or Processing. After an update status is Completed, you can export the results via a csv file.Sensor Update Status 2.png

When a sensor update status displays Completed, a hyperlinked count in the Updated column opens a new browser tab to the Endpoints page, where the sensors that successfully updated display. If any sensors did not update, a hyperlinked count under the Errors column shows the sensors that did not update, and the Sensor Update Status tab displays the reason.

If the Updated or Errors sensor count is greater than 500, the hyperlink is un-enabled, and only the Export option is available under the Actions column. The Export action generates and downloads a csv file with the Updated or Errors count details.

Sensor Update Status 3.png

 


August 3, 2020

 

Carbon Black Cloud
 
Dashboard export improvements
 

In all Carbon Black Cloud products, you can now export larger volumes of data using the Export All button on the dashboard (EA-14505/EA-13452/DSER-16563). The CSV files are generated asynchronously and are then available for download in the Notifications menu.export request.png


Enterprise EDR 

 

Improved signature data

We’ve enhanced the available signature data during investigations. On the Alerts, Investigate and Process Analysis pages, we now display four fields that are derived from the digital signature metadata attached to the binary file: Signed, Product, CA and Publisher. The locations include:

Investigate - process in the right pane

Process Analysis - right pane

Process Analysis - expanded details for certain events

For example, the data on the Process Analysis page appears here:Improved signature data.png

These fields are populated with data from the Carbon Black Cloud Unified Binary Store (UBS) API, which is documented here:
https://developer.carbonblack.com/reference/carbon-black-cloud/cb-threathunter/latest/universal-binary-store-api/

Known limitation: Endpoint Standard-only customers will continue to see signature data that is available via the existing API. This is also true for current Linux and macOS sensors that do not currently support UBS.

Binary Details page enabled for all Enterprise EDR customers

To enhance visibility into binary metadata, we enabled the Binary Details page for all Enterprise EDR customers, regardless of whether they have opted in to binary uploads on the Policies page. The Binary Details page is already linked for enabled customers from the following locations:

Alerts page - right pane (Process)

Investigate page - right pane (Parent Process, Process, Child Process)

Process Analysis page updated to use v2 /events/ API endpoints

We have updated the Process Analysis page to use the latest version of the /events/ API endpoints, including the Get Events Facet Associated with a Given Process endpoint and the Get Events Associated with a Given Process endpoint. The results of the Process Analysis page are unchanged.

July 21, 2020

 

Carbon Black Cloud
 
Updates to threat hunting permissions
 

The following changes to permissions in the Roles pages help unify the Endpoint Standard and Enterprise EDR product experience.

The following permissions have been moved from the Threat Hunting category to Custom Detections:

Threat Hunting permission name Custom Detections permission name
Manage Third Party Watchlists Manage Watchlist Feeds
View Third Party Watchlists View Watchlist Feeds
Manage Watchlists Manage Watchlists
View Watchlists View Watchlists

 

We consolidated redundant permissions from the Threat Hunting category into the Investigate category's Conduct Investigations permission:

Manage events

View events

Existing and custom roles are preserved. The Threat Hunting category has been removed, but its previously held permissions remain.


Enterprise EDR 

 

Investigate page adds placeholders to Filters

Until the first results are returned after a user submits a search request on the Investigate page, the console now displays placeholders in the Filters section.

DSER-21401 filter skeletons.png

 


July 16, 2020 - updated July 22, 2020

 

Release calendar

The following table provides a general timeline for when you can expect to see these changes in the VMware Carbon Black Cloud console. Please reference the URL that appears in your browser when you sign into the Carbon Black Cloud console.

Login URL ETA
https://dashboard.confer.net/ July 16
https://defense.conferdeploy.net July 20
https://defense-prod05.conferdeploy.net July 20
https://defense-eu.conferdeploy.net July 20
https://defense-prodnrt.conferdeploy.net/ July 16

Carbon Black Cloud

Remediation suggestions for Alerts

A new Remediation section is available on the Alerts page. Click the > next to the alert to open the right panel and view potential remediation actions for detections, preventions, and watchlist hits, based on your permission level. This capability is available to Enterprise EDR, Endpoint Standard with Enterprise EDR, and Endpoint Standard customers with the new unified platform experience.
remediation.png

 

Notification rules alert severity

Alert severity is now available when configuring a notification rule to improve your ability to manage notifications.

Existing notification rules with the type of Alert includes specific TTPs or Policy action is enforced will default to an alert severity of 1 if no other severity is specified. All other notification types remain unchanged.Notification Rules.png

Enabled products are viewable in the console

The dropdown that displays the currently logged-in user now displays the enabled products in the organization. The dropdown includes references to Endpoint Standard, Enterprise EDR, Audit and Remediation, and Managed Detection.skus enabled.png

If a product is enabled, a green Enabled tag displays next to the product name. You can click a product name to learn more about that solution on the VMware Carbon Black website.


Enterprise EDR

Shareable Investigate page search result URLs

The Investigate page URL for Enterprise EDR now continuously synchronizes with the current state of search results that are displayed on the page. Any time that you submit a new or edited search, the page will update the URL in the browser address bar.

You can copy the URL and send it to colleagues to perform the same search from their client. This capability improves the clarity of investigations and reduces time to resolution among multiple investigators.


July 6, 2020
 

Carbon Black Cloud

Filter counts added

VMware Carbon Black

On pages that provide lists of selectable filters (also known as facets), a count shows how many unique facet entries are available for the currently-displayed results.

This is seen on:

Alerts page

Investigate page

Live Query page - Query Results

For example:Filter counts added - Investigate page.png

Note: If more filter values are available than the console shows, the count is suffixed with a + symbol.

For example, on the Investigate page, if more than 50 processes are available, you will see Process (50+). That number shrinks as you target your search query.


Audit and Remediation (formerly CB LiveOps)

 

osquery version update

The syntax validator on the SQL tab now uses the osquery schema version 4.1.2, which aligns with the schema versions released in the latest sensors. 

Enterprise EDR (formerly CB ThreatHunter)

 

Simplified search

We have incorporated a significant change to search results, consolidating what were often duplicate results into a single search result per process. This change affects all customers who are subscribed to Enterprise EDR, with or without Endpoint Standard.
 
Search results might look different in:
 

Investigate page – Processes tab

Process Search v2 API

An entry in the Notifications feature and a message in the Results table of the Investigate page direct you to read Simplifying Search at Scale on the Carbon Black Cloud.

Process Search v2 fields that are now multi-valued

For the v2 Process Search API endpoint /api/investigate/v2/orgs/{org_key}/processes/search_jobs, the following fields return as an array instead of as a single-value string:

enriched_event_type

event_type

event_attack_stage

event_threat_score

Known limitations

The process_name field always reports as the filename of the executing binary. This is different from existing behavior where customers that have Endpoint Standard + Enterprise EDR sometimes see that the process name = "filename of the script being executed by a script host".

In edge cases where the sensor reports a different process start timestamp between the Endpoint Standard and Enterprise EDR versions of events, multiple search results can appear in the Investigate search.

In edge cases where the sensor does not report a process start timestamp, VMware Carbon Black Cloud now inserts a timestamp when the event is received by the backend. This can create multiple search results for the same process.

In some cases, duplicate search results occur for the same process from Windows sensors that are older than the 3.3 generation.

There are edge cases when Enriched events have one or more duplicate records.

There are rare cases when counts might vary by 1 when comparing the same search results between tabs under the Enriched Events tab of the Investigate page. This does not mean that any data has been lost, but that optimization of indexes has not completed. This effect is short-lived, and can create more recent data.

Windows frequently re-uses Process IDs (PIDs). On a Windows endpoint that has significant process create activity, this can lead to two processes that have the same name are being reported with the same process ID, with process create times sometimes only a few minutes apart. This can lead to cases whereby a search for a process_name:xxxxx for one device reports two search results with the same process_pid. The only known cases where this is true are due to aggressive process ID re-use.


June 22, 2020
 

Enterprise EDR (formerly CB ThreatHunter)

New Alerts page experience

Enterprise EDR customers can now benefit from a unified experience across the Alerts and Investigate pages. This design makes it easier to search your entire environment to quickly identify potentially malicious behaviors.

Improved Searchprocess_name.png

Easy and Advanced Search are replaced with a single, improved search experience, similar to the Investigate page.

Search Suggestions provide formatting help, with descriptions of each search value.

Search Fields are standardized to a single, easy-to-use syntax.

Embedded Search Guide is now available inside the console.

Favorite Searches are available user- or organization-wide for frequently reused search queries.

Alert details

amsi.png

Previously, alert details appeared at the top of the pages and associated TTPs appeared when the row was expanded. Now, all alert details are available in this single right panel view. The following cards are available in the right panel:

Alert Details: Contains more context about the alert. Navigate to Alert Triage, Process Analysis, or Investigate, or take action on the alert, process, or device by clicking on the arrow in the top right.

Process: Formerly known as Application, this process card contains information about the primary process that is associated with the alert. Click the arrow in the top right to take action on the process or device.

Involved Processes: When multiple processes are associated with an alert, view the full list of additional processes together with their TTPs. Click the hyperlinked process name to search by device id, alert id, and SHA-256 on the Investigate page.

Device: Quickly view preliminary device details. Click the arrow in the top right to take action on the device.

Notes and Tags: Add a note or a tag for easy filtering.

Export enriched events and processes 

You can now export a CSV-formatted data set directly from the Investigate page from the Processes tab or Enriched Events tab (Endpoint Standard + Enterprise EDR).investigate export.png

The time to generate the file varies depending on the size of the export. When the file is available, you will receive a notification to download it.export request modal.png

 


June 11, 2020
 

Audit and Remediation (formerly CB LiveOps)

Dell SafeBIOS Recommended Query

Using Live Query, you can now query your entire fleet of Dell Trusted Devices to report on the SafeBIOS verification status. This allows you to extend your visibility below the OS to detect sophisticated attacks that tamper with the firmware of a device.
 
Navigate to the Live Query > New Query > Recommended tab and type “Dell SafeBIOS” in the search bar. Click Run to query all Windows endpoints, or click Schedule to automatically run this query on a daily, weekly or monthly cadence.
 
This query runs on supported Dell platforms (Latitude, OptiPlex, Precision, and select XPS models) that are running Windows 10 with the Dell Trusted Device installed. For more information on the supported platforms and installation steps of the Dell Trusted Device, please see the Dell Trusted Device and Administrator Guide.
 
The query will return “matched” on Dell devices only. All other devices return as “not_matched”. The query will return a number of valuable columns - most importantly, the BIOS_VERIFICATION_STATUS:
 

Passed - Verification passed. The local BIOS passed verification against a known-good Dell BIOS.

Failed - Verification failed. The local BIOS failed verification against a known-good Dell BIOS.

Not Available - See the Dell troubleshooting documentation.

Other columns provide information about whether the Dell Trusted Device agent is installed, the version number, the hardware model of the endpoint, and the last run time of the Dell Trusted Device agent. For more information about this query and the Dell partnership, visit the User Exchange

Dell SafeBIOS - BIOS image capture script

To provide additional visibility and remediation capabilities for BIOS firmware attacks, a Live Response script on our GitHub allows an administrator to capture the BIOS image when SafeBIOS verification returns a “Failed” result. We recommend that you perform further investigation in the case of BIOS failure. This script will help you and your team perform forensic analysis. For more access to the script and more information about how to run it, please visit our GitHub.


May 26, 2020
 

Audit and Remediation (formerly CB LiveOps)

Consistency enhancements

On the individual Query Results page, we have updated the progress bar to match the Query Results table, added a Live Response link to the rows in the Devices tab, and updated the design of the icons and content for the query status.
 
We updated the clear search functionality on various Live Query pages to match the rest of the product, and we updated the ordering of the form fields in the Schedule window and the SQL Query tab for ease of use.
 

 

May 20, 2020
 
Release calendar

The following table provides a general timeline for when you can expect to see these changes in the Carbon Black Cloud console. Please reference the URL that appears in your browser when you sign into the Carbon Black Cloud console.

Login URL ETA
https://dashboard.confer.net/ May 20
https://defense.conferdeploy.net May 20
https://defense-prod05.conferdeploy.net May 21
https://defense-eu.conferdeploy.net May 21
https://defense-prodnrt.conferdeploy.net/ May 21

Endpoint Standard (formerly CB Defense)

Improved technique identifier experience 

To improve the clarity and distinction of Carbon Black TTPs from MITRE TIDS, Carbon Black TTPs identifiers appear on the line below the process name and the MITRE TIDs appear on a separate line, making it easier to view them together.TTPs_TIDs.png

 


Audit and Remediation (formerly CB LiveOps)

Improvements to CSV Export for large results sets

You can now track export progress of Live Query results and download the CSV on-demand after it has been exported. This feature is currently available via API only.
 
Previously, when a Live Query result set was exceptionally large (millions of results), the export process could take minutes. Instead of issuing an export request and waiting while the CSV is exported, the export request now starts an asynchronous running job, and you can issue additional requests to give you a progress update on the export. See our Developer Relations site.
 
Improved filters
 
We have updated the filters on the individual query results pages to match the filters elsewhere in the platform. These filters now include a search bar for each filter (where applicable) to easily find filter options.ResultsTab.png

Devices.png

 


May 11, 2020
 

VMware Carbon Black Cloud

Japanese translation

Japanese Translation is out of Beta and is refreshed with the latest translation. The User Guide, in-product menus, headers, and labels are available in Japanese via the Language menu or when signing in.language.png

 

sign in.png

 

Improvements to the Sensor Kit Download Window

We have improved the content and layout of the Sensor Kit Download window on the Endpoints page. We have added easy access to the Sensor Release Notes, Sensor Installation Guide, and Supported Operating Systems pages. We provide additional OS version information in the OS column, and have added download buttons for each OS.SENSOR_KIT_MODAL.png

 

 


 

Audit and Remediation (formerly CB LiveOps)

Improved layout for query building page

We updated the layout of both the schedule modal on the Recommended and SQL Query tabs to be consistent and clear by adding headers and changing other minor elements.

We have made it clearer what parts of the form are required for submission. You are now required to enter a name for your query on the SQL Query tab.

Removed the Windows CryptoAPI Spoofing Recommended Query

We have officially removed the query called “Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601)” from the console. For more information about why and how we are continuing to keep the catalog current and relevant, please read this UEX post.


April 27, 2020
 

VMware Carbon Black Cloud

Filtered sub-tabs in Events tab on Investigate page

For customers who have both Endpoint Standard and Enterprise EDR, we are introducing three new sub-tabs to the Enriched Events tab on the Investigate page:

Applications

Devices

Network

These new sub-tabs provide easy access to the most common views of your endpoint event data.

Applications shows the most prevalent applications across all devices:Filtered sub-tabs - Applications.png

Devices shows the devices and how many events have been reported on each:Filtered sub-tabs - Devices.png

Network shows a detailed breakdown of relevant network metadata of all netconns:

Filtered sub-tabs - Network.png

Improved content on the API access page

The API access page content is improved. We have replaced the Export button with an API Integration and Documentation button to better reflect its functionality.

API_Integration_Button1.png

We expanded the content in the API and Integration Documentation window to better assist you with API integrations. It includes various links and documentation about integrations.API_Integration_Modal1.png

Operating system selection on the Endpoints page

You can filter endpoints by operating system (Windows, macOS, and Linux). Click the OS dropdown menu and select the endpoints to view.OS_Filter_Dropdown.png

 


Audit and Remediation (formerly CB LiveOps)

Improved Query Result page

Based on customer feedback, we have redesigned the One-Time and Scheduled tabs to make it easier to understand the status of your queries. We have improved the readability of the Query Name column. 
OneTimeNew.png

 

To provide clarity, we have separated the overall query status from the device's response.ScheduledNew.png

 


Enterprise EDR (formerly CB ThreatHunter)

 

Changes to Watchlist hit counts

When reviewing the events captured by watchlists, Enterprise EDR previously displayed each individual recorded hit.

We simplified the Watchlists page to show a summary of each of the processes that resulted in one or more hits. We clarified the text on the page:
 

Renamed Hits tab to Processes

Updated the results counter from ### results to ### processes with hits

For example, when Chrome is running and making many connections to Google.com, a watchlist searching on netconn_domain:google.com will generate many hits, but only one process with hits.

We have added a PID column to the Results table to make it easier to distinguish two or more records that have the same Report and Process names. The console now reports the data as Processes:Watchlist Hits UI new.png

 

Improved support for fields in Investigate searches

In organizations that use Enterprise EDR watchlists, certain Investigate searches that included the following fields sometimes led to false positive/false negative search results. This is corrected. Searches that previously required adding a -watchlist_id:* (note the "-" prefix) clause can now eliminate that clause from searches.

"scriptload_count"

"device_policy"

"device_group_id"

"process_service_name"

"device_policy_id"

"parent_publisher_state"

"process_company_name"

"process_cmdline_length"

"process_internal_name"

"parent_cmdline_length"

"parent_cmdline"

"device_os_version"

"process_publisher"

"process_publisher_state"

"process_product_version"

"process_original_filename"

"process_file_description"

"process_product_name"

"parent_name"

"process_cmdline"

"process_elevated"

"process_integrity_level"

"process_privileges" 


April 22, 2020
 
Release calendar

The following table provides a general timeline for when you can expect to see these changes in the Carbon Black Cloud console. Please reference the URL that appears in your browser when you sign into the Carbon Black Cloud console.

Login URL ETA
https://dashboard.confer.net/ April 22
https://defense.conferdeploy.net April 22
https://defense-prod05.conferdeploy.net April 23
https://defense-eu.conferdeploy.net April 23
https://defense-prodnrt.conferdeploy.net/ April 23

 

VMware Carbon Black Cloud

Table column customization

With this release, you can configure which table columns to view across all tables in the Carbon Black Cloud console. You can hide specific columns and customize the order of columns to fit your workflow and maximize screen space.


Audit and Remediation (formerly CB LiveOps)

Access all actions across pages

You can now access all query actions across both the Query Results > One-Time tab and the individual Query Results page. Rather than requiring users to stop and then delete a query using the functionality across multiple pages, you can now delete a query in progress from either page.
One-Time tab.png
 

QueryResultsPage.png

We have added confirmation for both the Stop and Delete actions on both pages.deleteModal.png


Enterprise EDR (formerly CB ThreatHunter)

 

Investigate page updates

Alert severity indicators
 
For customers who are using both Endpoint Standard and Enterprise EDR together, a color bar along the left of the row for events and processes indicates whether the row is associated with an alert. The color bar from the Type column has been removed for clarity.54_severity_indicator.png

 

Badge improvements
 
For customers who are using both Endpoint Standard and Enterprise EDR together, text badges are added to the events and processes table to indicate whether the row is associated with an analytics alert, watchlist hit, watchlist alert, or if a policy was applied or denied.54_badges.png

 

For analytics alerts, watchlist hits, and watchlist alerts, users can click the badge to get details of the latest alert/hit that is associated with the row that has the highest severity. You can quickly search to see all alerts or hits that are associated with that row.54_badge_pop_up.png

 

File modification card improvements

To help minimize the length of investigations, Reputation and Signed By details are added to the Filemod card. Cards in the details view are now expanded to display all relevant context by default.54_Filemod_card.png

 

 


April 9, 2020
 

VMware Carbon Black Cloud

Updated End User Licensing Agreement (EULA)

We have updated our end user licensing agreement. Upon signing in, all users will be prompted to review and agree to the new agreement before continuing on to the product. You can find our updated policy here.
EULA_Update.png

 


Endpoint Standard (formerly CB Defense)

Malware protection for Linux

Malware prevention for Linux machines in our Endpoint Standard solution starts on April 1, 2020. Initial distribution support includes Red Hat/RHEL and CentOS 6/7.
 
This release include the following features:

Malware prevention coverage from Linux malware

You can adapt policies for your specific environments (by deny-listing/allow-listing hashes)

View context around blocked and suspected malware (file origination, execution details, etc.)

To add malware coverage for Linux endpoints, contact your Carbon Black representative for help in adding new endpoints to your existing agreement.

Updated messaging

We have updated messaging to make it easier to navigate and differentiate between available Linux features.

In the Send Installation Request window on the Endpoints page, we inform users how to properly install Linux endpoints.Linux_Screenshot_1.png

On the Prevention tab on the Policies page, we have included Linux OS icons in the Known malware and Application on the company deny-list rows. Additional messaging signals that Runs or is running is the only option that is available to Linux users.Linux_Screenshot_2.png

 


Audit and Remediation (formerly CB LiveOps)

Additional recommended queries

Eight new recommended queries have been crafted by our Threat Analysis Unit (TAU) team:
 

Secure Boot Status

Unusual User Accounts

Blank Passwords Enabled

Root User Shell History

Detect sdelete.exe Execution

macOS LaunchDaemons

Binaries with SUID or SGID Set

Weak Authentication Types (LM/NTLM)

Go to New Query > Recommended to run or schedule these new queries.

Enterprise EDR (formerly CB ThreatHunter)

 

Investigate and Watchlists support trailing wildcard in process_cmdline searches

Previously, searches for process_cmdline fields could operate on the full command line or on fully-specified tokens, but not on substrings of the command line or its tokens.
 
Now, searches on Investigate (and used as IOCs in Watchlists) can use trailing wildcards to specify a process_cmdline substring.
 
For example, you might see that a process is launched with the following command line:
c:\windows\system32\cmd.exe -ver 2.0
 
You could previously search on process_cmdline:system32/cmd.exe\ \-ver\ 2.0. You can now also search on process_cmdline:system32/cmd.exe\ \-ver\ 2.*.
 
 

April 1, 2020
 
Release calendar

The following table provides a general timeline for when you can expect to see these changes in the Carbon Black Cloud console. Please reference the URL that appears in your browser when you sign into the Carbon Black Cloud console.

Login URL ETA
https://dashboard.confer.net/ April 1
https://defense.conferdeploy.net April 2
https://defense-prod05.conferdeploy.net April 6
https://defense-eu.conferdeploy.net April 6
https://defense-prodnrt.conferdeploy.net/ April 6


VMware Carbon Black Cloud

Filter selections persist between tabs on the Investigate page

If you select a filter value and perform a search on the Investigate page, that filter selection is preserved in searches that you perform on other tabs.
 

For example, if you select NETWORK_ACCESS from the TTP filter category on the Enriched Events tab and perform a search, and then switch to the Processes tab and submit a search, the Processes search will also filter on ttp:NETWORK_ACCESS.

This improvement lets you continuously explore specified data. You can expand or narrow a search and compare the summary and detailed views of that data very quickly.

Configurable filters on the Enriched Events tab
 
For customers who are using both Endpoint Standard and Enterprise EDR (formerly CB Defense and CB ThreatHunter), you can configure filters on the Enriched Events tab in addition to the Processes tab. Click Configure (...) to select and customize filter categories.

Endpoint Standard (formerly CB Defense)

Speed investigation of TTPs with new informational windows

This release introduces a new way to access TTP severity, category, and descriptions. You can now click the TTP to access relevant information. Click the TTP to generate a window like this:TTP_popover.png

Users can use this new functionality to speed their investigations wherever TTPs appear on the Alerts and Alert Triage pages.

Create_time on alert search API

Alerts v6 Search API now supports sorting by create_time.


Audit and Remediation (formerly CB LiveOps)

SQL syntax assistance

Line numbers and SQL syntax highlighting display in the SQL Query box to improve ease of use and query building.SyntaxHighlighting.png

 

Recommended query for Windows SMBv3 client/server remote code execution vulnerability

A new recommended query for the recent Windows SMBv3 vulnerability (CVE 2020-0796) identifies the following:

If a machine has active SMB shares

If a machine is running an OS version that is impacted by this vulnerability

If the un-enabled compression mitigating keys are set

If the system is patched

Audit and Remediation customers can quickly quantify the level of impact this vulnerability has in their network. Read more about this vulnerability and our recommendations at CVE-2020-0796 - EternalDarkness (ghostSMB).

Go to New Query > Recommended and search for “SMBv3” to run or schedule this query. 

We have also updated the Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601) query to include the latest patches.


Enterprise EDR (formerly CB ThreatHunter)

Collapse nodes on the Process Analysis page

You can collapse nodes on the Process Analysis page based on the hash of the process. This action collapses identical instances of the same process to make it easier to focus on crucial information.Process Analysis Grouping.png

 

Adjustable filters panel

You can adjust the filters panel so that you can fully view items such as long process names.Investigate - adjustable facet panel.png

 

Search suggestion improvements

Search suggestions on the Investigate page are improved: the search bar is more responsive as you type.

Improvements on the Watchlists pages

The Watchlists page (select Watchlists from the Enforce group) now shows the final Hits count more quickly.

When you select a subscribed Watchlist, the page initially displays result placeholders while results are being retrieved:

Watchlists - skeleton placeholder.png

When selecting a subscribed Watchlist, if there are no hits for the past three days, the Hits tab reports "No hits detected."

To refresh the Hits results for a selected Watchlist, click the Hits tab.


March 2, 2020 

Endpoint Standard (formerly CB Defense)

OS icons on the Policies > Prevention and Sensor tabs

OS icons have been added to the Prevention and Sensor tabs on the Policies page to show which features are available for each operating system. 
 

Audit and Remediation (formerly CB LiveOps)

Improvements to the SQL query building experience

Significant improvements have been made to the SQL Query tab and overall custom query building workflow. These improvements focus on providing the user with additional feedback while building queries, as well as validation to improve overall query quality.
No Table Error.png

 

Similarly, if you try to submit a query with syntactically incorrect SQL, an error will direct you to the location of the syntax error.Syntax error.png

API users will receive more informative messages when writing invalid SQL queries. You can find the full Live Query API documentation on the VMware Carbon Black Developer Relations website.

We have added OS icons next to the query name on the individual Query Results page to clearly show the operating systems with which each query is compatible and is successfully running on.OSIcons1.png

OS icons will not appear for queries written on the SQL Query tab when individual endpoints are selected (via the Endpoints selector). If a query is incompatible with a set of selected endpoints - for example, if you wrote a macOS-only query and sent it to a Windows endpoint - the query is submitted but will not actually run on the Windows endpoints. A status of “Not Supported” is returned.

We have changed the experience after you submit a SQL query. Going forward, the SQL Query form clears and the confirmation notification displays for a longer period. We have added loading states in case of a slow network. When submitting from the Query pop-up window (accessible on the Endpoints page and on the individual Query Result page), the window will close after you submit the query.
 

“Copy (SQL)” is now “Duplicate”: altered content for clarity

Based on customer feedback, we changed the name of the query duplication feature from “Copy (SQL)” to “Duplicate” to clarify the functionality. Go to the Query Results > One Time tab and then expand the Actions menu. Select a query to rerun on a different policy, a different set of endpoints, or the same set but with different SQL. Duplicate.png

 

Select Duplicate and a window will appear with the original SQL and endpoint selections pre-populated. Make edits as needed and then click Run. This functionality is also available in the Take Action menu on the individual Query Results page.Modal.png

 


Enterprise EDR (formerly CB ThreatHunter)

Process Analysis tree nodes show Deny and Terminate icons 

The Process Analysis page provides a visual tree view of all process parents, siblings and children related to the process under analysis. At a glance, this tree provides key information with necessary context.

The Process Analysis tree now indicates whether the process was involved in a Deny or Terminate action in the form of red shield icons. This signifies that the process was parent to a process that was Terminated after it started, or to a process that was Denied before it began running.
 
These icons also signify that you can find details about the Denied or Terminated event details in the Events table. You can run a search for sensor_action:DENY, sensor_action:TERMINATE (or sensor_action:*) to quickly isolate the specific events in which the Deny or Terminate action was applied by the sensor.

For example, in the following Process Analysis tree, two instances of FIREFOX.EXE include one or more red shield icons:
 

The first instance shows the Terminate shield, indicating that an action was Terminated after it began.

The second instance shows the Deny and Terminate shields, indicating that there were two separate events in which the sensor intervened. One shows a Terminated running action, and the other shows a Denied attempted action before it performed any interesting actions.

An orange exclamation point icon indicates that one or more Enterprise EDR Watchlist hits were associated with the process.Process Analysis tree node with all icons.png

 

 


February 18, 2020 

VMware Carbon Black Cloud

Improved User Guide print function

The top left corner of the User Guide panel now has a dedicated Print button. The selected User Guide content opens in a new tab and shows a Print window. This provides a printing experience that accurately captures the currently displayed content.
UG_print_button.png

 


Endpoint Standard (formerly CB Defense)

MITRE Technique IDs

MITRE framework technique IDs are now integrated into the Endpoint Standard solution. MITRE is a framework that is divided into 12 tactics and over 300 techniques, which adversaries use to compromise systems and enterprises. For more information on the MITRE Framework, click here.
 
You can search the platform for specific MITRE technique IDs while hunting for threats, and/or use the existing alert notification functionality to flag on any technique IDs that are tagged on your current events and alerts.
 
If an event or alert is tagged with a MITRE technique ID, a TTP with the prefix “mitre_” displays, followed by the technique ID. Technique IDs appear alongside Carbon Black TTPs on the Alerts, Investigate, and Alert Triage page as hollow pills with a colored border, which represents the severity level. Click the MITRE Technique ID for a description and context of the technique on the MITRE website.
TIDs_and_TTPs.png

For TTP and TID severity levels, click the question mark icon next to the TTPs title.TID_TTP_modal.png

You can search for specific MITRE techniques on the Alerts and Investigate pages in the same way that you would search for Carbon Black TTPs.

TTP_search.png


Audit and Remediation (formerly CB LiveOps)

New recommended queries

Our TAU team has crafted three new queries. Similar to the Windows CryptoAPI Spoofing vulnerability query, a highly relevant query detects machines that are vulnerable to a recent critical Linux vulnerability (CVE-2019-18634). The new queries are:

Windows Firewall Status

CVE-2019-18634 Vulnerability

Potential socat TTY Misuse or Reverse Shells

Click New Query > Recommended to run or schedule queries using these new terms.

 


Enterprise EDR (formerly CB ThreatHunter)

New data in Investigate and Process Analysis

The following event data is now supported by the Windows 3.5 Carbon Black Cloud sensor:
 
New data: Scriptload events
A new type of sensor event called the scriptload event is recorded by the Windows 3.5 sensor. This event captures all executions of filesystem-backed scripts that are launched by a specified set of script hosts. Supported script extensions for Windows currently include PDF, BAT, CMD, MSI, MSP, MST, PS1, and PSM1The scriptload event and its data appears in the Events table on the Process Analysis page:Scriptload - expanded event.png

 

New data: Fileless Scriptload events
A new type of sensor event called the fileless scriptload event is recorded by the Windows 3.5 sensor. This leverages the Anti-Malware Scanning Interface (AMSI) support that is available in Windows 10 and Windows 2016.
 
The fileless_scriptload event represents each occasion when the sensor detected AMSI-decoded script content that was executed by any process on the endpoint. This consists only of "fileless script" content that was not stored in a file on the file system when that context was executed.
 
For example, you can detect when the PowerShell runtime was loaded into another process by malware, that malware obtains encoded PowerShell script content from a remote network server, and then executed that script content directly from memory.
 
The fileless scriptload event and its data appears in the Events table on the Process Analysis page:Fileless_scriptload - expanded event.png

 

Click the expansion arrow icon in the event to display the full-length decoded script content; for example:Fileless_scriptload - full decoded script content.png

 

Note: Support for decoding fileless script content via AMSI is dependent on each script interpreter that integrates with the AMSI interface in Windows. To date, the following script interpreters have implemented support: PowerShell, JScript, VBScript, JavaScript & VBA (via Office365), .NET and WMI. More information from Microsoft can be found here.
 
New data: Process Access Control details
The Carbon Black Cloud console provides three newly-surfaced characteristics of a Windows process access to operating system resources: Elevated, Integrity, and Privileges. These are surfaced by the Carbon Black Cloud Windows 3.5 sensor for any process that exhibits relevant access:

Elevated is shown as True for any process that is/was running in an elevated state; otherwise it is shown as "--" to signify that the sensor has not reported any elevation status.

Integrity reports the process integrity level at which the process is/was running.

Privileges reports each privilege that is contained in the token that authorizes the process to take actions. If there are more than three privileges reported for the process, the console makes the full list available in an expansion window.

This information is displayed in the right pane of the Process Analysis page:Process Analysis - Process Access Control.png

The following is an example of the full list of process privileges that appears when you click the expansion arrow icon in the Privileges section:Process Analysis - privileges modal.png

New supported search fields

The following new fields are supported for searches across Enterprise EDR data that is sent from the Carbon Black Cloud Windows 3.5 sensor:

fileless_scriptload_cmdline: Find processes that executed PowerShell commands in fileless execution context; for example, fileless_scriptload_cmdline:System.Management.Automation.Utils.

fileless_scriptload_cmdline_length: Find processes that executed PowerShell commands of certain lengths; for example, fileless_scriptload_cmdline_length:[50 to *].

fileless_scriptload_hash: Find processes that loaded a specific file-less script by its hash value.

process_elevated:true: Find all processes launched in an elevated state via the User Account Control (UAC) feature of Windows.

process_integrity_level: Find all processes that are running at one of the integrity levels defined and enforced by Windows' Mandatory Integrity Control; for example, process_integrity_level:PROTECTED.

process_privileges: Find all processes running with any of the defined privileges in Windows; for example, process_privileges:SeDebugPrivilege.

process_service_nameFind only the svchost.exe processes where the Windows Service matches the internal service name; for example, process_service_name:wsearch.

scriptload_count: Total number of script loads by this process; for example, scriptload_count:[0 TO 5].

scriptload_hash: MD5 and SHA-256 hashes of the loaded script; for example, scriptload_hash:2d75cc1bf8e57872781f9cd04a529256 OR scriptload_hash:c35f705df9e475305c0984b05991d444450809c35dd1d96106bb8e7128b9082f.

scriptload_md5: MD5 of the loaded script; for example, scriptload_md5:2d75cc1bf8e57872781f9cd04a529256.

scriptload_name: Tokenized paths of the scripts loaded by the process; for example, scriptload_name:malware.docx.

scriptload_publisher: Publisher that signed the script, if any; for example, scriptload_publisher:Microsoft.

scriptload_publisher_state: Certificate signature states of the loaded scripts as string; for example, scriptload_publisher_state:FILE_SIGNATURE_STATE_INVALID.

scriptload_reputation: Reputation of the loaded script; for example, scriptload_reputation:TRUSTED_WHITE_LIST.

scriptload_sha256: SHA-256 of the loaded script; for example, scriptload_hash:c35f705df9e475305c0984b05991d444450809c35dd1d96106bb8e7128b9082f.

sensor_action_reason: Find the processes for which the sensor took a specific action; for example, sensor_action_reason:POLICY_DENY.

Investigate Search shows future events

When an endpoint’s operating system time is incorrect, events reported to the Carbon Black Cloud with future timestamps were not returned via search if the upper time limit was set to the default “now.” 
 
To enable our customers to see all the events reported by sensors, even for endpoints with system times set in the future, we have removed the default upper boundary in all search queries unless the user explicitly sets a custom time range.

 
 
February 3, 2020 

VMware Carbon Black Cloud

v2 Process Search API

The Investigate page (at /cb/investigate) and Process Analysis page (at /analyze) in the Carbon Black Cloud console are updated to use the latest Search API (https://developer.carbonblack.com/reference/carbon-black-cloud/cb-threathunter/latest/process-search-v2/).
 
If you troubleshoot by using browser developer tools, the following changes can help you acclimate to the new experience:
 

There are now two separate API calls to start a search in the console: instead of one request to /processes/search_jobs, there is a search request (to /processes/search_jobs) and a facet request (to /processes/facet_jobs).

The query_id parameter is now search_job_id and facet_job_id (corresponding to the respective API endpoints above).

Note: This update applies to all customers who have CB ThreatHunter, or CB Defense and CB ThreatHunter together. Customers who have CB Defense only will continue to have the same experience as before.


CB LiveOps

30-day data retention

To provide greater visibility into queries that were created more than 30 days in the past, we are improving the overall data retention experience in the console. Queries created more than 30 days in the past now show up in the One-Time tab table with an Expired status. Although the link into the individual results page is no longer available on expired queries, you can still access general information about the query - such as the SQL, query name and endpoints that it ran against - by clicking into the Query Details panel using the icon.png icon. You can can also delete, copy, or re-run expired queries via the Actions column. 
Expired in One Time .png

 

On the Scheduled tab, individual instances of scheduled queries that occurred more than 30 days ago do not appear in the table. For audit purposes, we now track runs of scheduled queries in the Audit Log.

If you try to navigate directly to the individual Query Results page of an expired query via a saved link or bookmark, a notification explains why you were redirected.LQExpiredToast.png

 


January 30, 2020
 
Release calendar

The following table provides a general timeline for when you can expect to see these changes in the Carbon Black Cloud console. Please reference the URL that appears in your browser when you sign into the Carbon Black Cloud console.

Login URL ETA
https://dashboard.confer.net/ January 30
https://defense.conferdeploy.net January 30
https://defense-prod05.conferdeploy.net January 30
https://defense-eu.conferdeploy.net February 3
https://defense-prodnrt.conferdeploy.net/ February 3


VMware Carbon Black Cloud

Data load visualization

While data is being loaded onto a page, visual placeholders now replace the “spinner” indicator.Investigate loading - new with Skeletons.png

 

Standardization improvements on Notifications and Malware Removal pages

On the Notifications page, CB product updates now displays in the top right section of the page and Add notification displays in the top right table area.Notifications_NEW.png

 

On the Malware Removal page, a description now appears below the Malware Removal title and the search functionality is moved to the primary table area.Malware_Removal_NEW.png

Similar page standardizations are coming soon to other pages in the Carbon Black Cloud, starting with the API Keys page. Check upcoming release notes for details.


CB Defense

Detection enhancements

The following table lists detection enhancements and resolution of a high-impact false positive:
Type Name Description
Enhanced Detection (Windows) Spearphishing We implemented an enhanced detection technique to alert users when an email attachment attempts to make a network connection. This enhanced detection is related to spearphishing, a form of targeted phishing attack.
False Positive (macOS) Injection Resolution of a high-frequency false positive that is occurring on macOS 3.4+ sensors, which is related to shells talking on the network.
 

CB LiveOps

New recommended query for Windows CryptoAPI spoofing vulnerability (CVE-2020-0601)

A new recommended query that is crafted by our Threat Research team is now available for all CB LiveOps customers. It detects Windows endpoints that are vulnerable to the CryptoAPI Spoofing vulnerability that was disclosed by Microsoft on January 14, 2020.
 
To leverage this new query, go to the New Query page > Recommended tab and search for “CryptoAPI” or “CVE-2020”. Click Run to run the query across all Windows endpoints in your environment, or select a specific policy or set of devices against which to run the query. You can schedule the query to run daily, weekly or monthly to monitor for this vulnerability or track patch deployment. CryptoAPI.png

 

The query returns a list of endpoints and their vulnerability status. VMware Carbon Black recommends exporting the list of endpoints with the status “CRITICAL_PATCH_MISSING” and patching them immediately because that is the only known remediation for this vulnerability. Because the vulnerability only affects Windows 10 and Windows Server 2016 and Windows Server 2019 systems, the query will return “PATCH_NOT_APPLICABLE” for any Windows devices that are not affected (for example, endpoints that are running Windows 7).RQcrpytoapi-results.png

To read more about this vulnerability and how Live Query assists with vulnerability management, see Using Live Query to Audit Your Environment for the Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601).

 

APIs for scheduled queries

The full suite of REST API routes to schedule and manage scheduled queries is now fully documented and publicly available on our Developer Relations website.

 

CB ThreatHunter

User-level favorite searches

You can save favorite searches per user. When creating a favorite, you can choose between Private (user-specific) and Org-wide. Private favorites are only visible to the user who created that favorite; org-wide favorites are visible to everyone in the organization.User level favorites.png

 

Share process nodes

On the Process Analysis page, you can share specific process tree nodes via the Share Process action in the Take Action menu. When another user clicks this link, they are taken to the node that was selected when the Share Process action was initiated.share process nodes.png

 


 

January 21, 2020

CB ThreatHunter

New search fields

The following new search fields are available for customers who have either CB ThreatHunter stand-alone or CB ThreatHunter together with CB Defense. They are available in the Process Search API as searchable fields:
 

device_os_version - This data is available from the latest sensors, which report the OS version in which the process was running.

has_children - Calculated by the Carbon Black Cloud at search time to determine if the cloud has any child node records; leveraged by the Process Analysis tree.

process_company_name - The CB ThreatHunter equivalent to the CB Response company_name.
process_internal_name - The CB ThreatHunter equivalent to the CB Response internal_namescriptload_name.

New create-time field in Watchlist alerts

For users of the appservices/v6/orgs/<orgkey>/alerts/_search API, there is now a create_time field on every Watchlist Alert record. This timestamp represents the time when the Alert was generated by the Watchlist service.

 
 
December 9, 2019

Carbon Black Cloud

New suggested searches

The combined experience of CB ThreatHunter and CB Defense together provide new suggested searches alongside favorite searches on the Investigate page, delivered via the VMware Carbon Black Cloud. These new suggestions make it easier to begin hunting for threats without needing to know the exact syntax.
 
You can choose from a variety of prebuilt searches to identify common attacker behaviors such as the execution of a fileless script or the execution of code from memory. These can be the building blocks for more serious threats. 
Favorite Search Suggestions.png

 

New search fields
The following new search fields have been added for customers who have either CB ThreatHunter stand-alone or CB ThreatHunter together with CB Defense. The pages that can be used to narrow a search are listed in the following table:
 
Search field Pages
childproc_cmdline Process Analysis
childproc_cmdline_length Investigate
childproc_publisher_state Investigate
event_attack_stage Investigate
event_threat_score Investigate
netconn_local_ipv4 Investigate, Process Analysis
netconn_local_ipv6 Investigate, Process Analysis
parent_cmdline Investigate
parent_cmdline_length Investigate
parent_publisher_state Investigate
 

CB LiveOps

Scheduled Queries: Added time and time zones

To provide all relevant, useful information that is related to a scheduled query, we have altered the columns on the Query Results > Scheduled tab to add visibility into the time and time zone of a query that has been scheduled. We’ve split the information in the Last Run column and added a new column called Run Time to display both the time and time zone of the schedule.
 
UpdatedScheduledTab.png

 

The User column on the Scheduled results page has been removed; that information is still available by clicking on the Query Details icon:

  QueryDetailsIcon.png

QueryDetailsModal.png

Schedule Summary added to SQL tabs

When you schedule a query on the New Query > SQL Query tab, a summary confirms your schedule selections before you click Schedule. This experience is now consistent with the Recommended tab.
 
SQLTab.png

 


CB ThreatHunter

New event type available: Scriptload

The macOS 3.4.0 sensor supports a new event type called scriptload. On the Process Analysis page, scriptload and all matching events are displayed in the Events table.
 
Four new searchable fields are available on the Investigate page:

scriptload_name

scriptload_hash

scriptload_publisher

scriptload_publisher_state

Three new searchable fields are available on the Process Analysis page:

scriptload_md5

scriptload_sha256

scriptload_reputation

On the Process Analysis page,a new facet category called scriptload can filter the Events table to show only these scriptload events.

 

December 4, 2019
 
Release calendar

The following table provides a general timeline for when you can expect to see these changes in the Carbon Black Cloud console. Please reference the URL that appears in your browser when you sign into the Carbon Black Cloud console.

Login URL ETA
https://dashboard.confer.net/ December 4
https://defense.conferdeploy.net December 4
https://defense-prod05.conferdeploy.net December 5
https://defense-eu.conferdeploy.net December 5
https://defense-prodnrt.conferdeploy.net/ December 5


Carbon Black Cloud

Event Forwarder

The Carbon Black Cloud Event Forwarder is a service that taps into data streams within the platform, and transports, transforms, and translates endpoint data to a customer’s receiver. It is a mechanism to push data from our platform to an external system.
 
This initial release delivers the following capabilities:

Unified architecture supports all Carbon Black Cloud products through a single Event Forwarder

Endpoint event forwarding for CB Defense and CB ThreatHunter events to a defined customer-provided Amazon S3 bucket

Data translation and transformation for converting the raw data sent by the endpoints into more consumable formats

Self-service capabilities to create, edit, un-enable, enable, and delete forwarder configurations via APIs

Multi-destination forwarding to allow events to be sent to one or more S3 buckets

Documentation will be available in the Developer Network space of the UEX and on the Developer Network website shortly following this release.

Specialized event cards

Event cards for each event type provided needed information without having to navigate throughout the product. The supported event types are childproc, netconn, filemod, crossproc, and regmod. This capability is only available for customers who have both CB ThreatHunter and CB Defense.
 

Specialized Cards.png


CB Defense

Improvements to dismissing grouped alerts

Number of alerts in an alert group now displays in the Device column.

When dismissing an alert group, the total number of alerts that are being dismissed is displayed.

Audit log contains the total number of alerts that are dismissed with the request.

Detection analytics improvements

Improved detection of attacks that leverage malicious applications to bypass user account controls and elevate privileges. This is part of our continued effort to expose attackers using Living off the Land techniques - that is, attackers that use native applications for malicious purposes.

We’ve reduced high-impact false positives related to Windows Explorer injecting into common Windows processes. This particular form of injection is in the top 3 most prevalent reasons for injection false positives. With fewer false positives occurring in the dashboard, customers can focus on important threats faster.

The following list of improvements provides additional details:

Type Name Description
Enhanced detection User Account Control Bypass Enhanced detection of certain native Windows applications escalate privileges and bypass User Account Control.
False positive Injection Eliminated false positive alerts related to an uncompromised explorer.exe injecting into common Windows processes.
 

CB LiveOps

Schedule a query

You can now schedule a query. To schedule a daily, weekly or monthly query, go to Live Query > New Query, click either the Recommended or SQL Query tab, and click the Schedule button. Alternatively, you can schedule queries via our APIs; for full API documentation, please visit the Developer Relations website. When scheduling a query, we highly recommend that you consider the impact the query might have on your endpoints.

Recommended_Schedule.png

The time that you select when scheduling is the time when the query is sent to the targeted devices if they are active and online. It is not the time that the device will run the query (i.e., the device local time). Any endpoints that are offline when the query is scheduled to run will respond to the most recent running recurrence of the query when they come back online, and the results will show up on the Query Results > Scheduled tab.

After you have scheduled a query, you can consult the latest results of that query on the Query Results > Scheduled tab. Going forward, ad-hoc queries will appear in the One-Time tab and all scheduled queries and their runs will appear in the Scheduled tab. To view the runs of a scheduled query, click the > next to the name of the scheduled query; to view the results of an individual run, click the Time link.QueryResults_Scheduled.png

You can take the following actions on the query schedule:

Edit the query name, the email notification settings and the frequency.

Stop the schedule from running in the future. Any queries in progress will run to completion.

Delete the schedule. This action also deletes all runs of the scheduled query.

You can also stop and delete individual runs of a scheduled query.

“Run” recommendation location change

We have changed the content and location of the Run field within the Recommended Query cards. The recommended run frequency is not a schedule, nor an indication that the query has been automatically scheduled for you.RunLocationChanged.png

Email opt-in

We have changed the default behavior of the email notifications setting across Live Query. The default setting now requires you to opt-in if you want to be notified when a query reaches completion.EmailCheckbox.png

 


November 25, 2019

CB ThreatHunter

Search fields are added to CB Response-to-CB ThreatHunter query translate API

digsig_result_parent converts to parent_publisher_state

digsig_result_child converts to childproc_publisher_state

digsig_result_filemod converts to filemod_publisher_state

 

Search API v0 removed

The deprecated Search API v0 is removed from production. All customers should migrate to the Search API v1. See https://developer.carbonblack.com/reference/carbon-black-cloud/cb-threathunter/latest/process-search/.

 

Updated Watchlist Alert ID

To improve the Alerts page's ability to group and dismiss related Watchlist Alerts, the ID for each Watchlist Alert is now unique per watchlist hit.

 
 

November 11, 2019

CB Defense

Threat Report widget on Dashboard

You can now access Carbon Black’s threat reports directly from your Dashboard by using the new Threat Report widget.

Threat_Report_Widget.png

 


Click a threat report to get a summary of the latest threats, and investigate to see if the threat exists on your endpoints.Threat_Report_Summary.png


 


 

CB ThreatHunter

New Process ID (PID) information

The Process Analysis page now provides the Process ID (PID) that is related to each event, in the expanded details section for each event. This PID can sometimes be different than the PID for the process that is currently selected on the page.
 
This additional context helps track potentially malicious processes and their related targets throughout the attack chain. It is shown next to the process tree visualization to make investigations quick and efficient.
 
Each operating system can exhibit the following behavior:

Windows: Identifies the process that initiated a crossproc event. Crossproc events are provided for both the initiator and the target processes. Crossproc events for the target process report the initiator's PID in the event details pane.Windows crossproc target different PID.png

Linux: When a process calls fork() to generate a new process instance, the Carbon Black Cloud reports the event from the original and the fork()ed process in one process. The Process Analysis page reports the PID of the fork() process in the event area, to help distinguish these events from events that are generated by the pre-fork() process.Linux fork PID on Process Analysis.png

 

Updated dynamic rules for Windows sensors

Beginning with Windows version 3.4, the latest Carbon Black Cloud sensors now support CB ThreatHunter to deliver enterprise detection and response capabilities. 
 
CB ThreatHunter leverages a new, highly adaptive mechanism for seamlessly distributing new policy content, which is called "dynamic rules." These rules improve sensor behavior without upgrading the sensor binaries.
 
Powered by the VMware Carbon Black Cloud, Carbon Black continually updates the dynamic rules content for current CB ThreatHunter customers to deliver the latest collection, detection, and response capabilities. This helps combat emerging threats automatically.
 
All CB ThreatHunter customers are upgraded to the latest CB ThreatHunter dynamic rules content. The latest sensor enhancements include the following:

Reporting of discovered modloads

Enhanced cross-referencing between CB ThreatHunter and CB Defense data (if any)

Improved de-duplication of reported data

Architectural support for future sensor releases

 


 
 
October 23, 2019 

Release calendar

The following table provides a general timeline for when you can expect to see these changes in the Carbon Black Cloud console. Please reference the URL that appears in your browser when you sign into the Carbon Black Cloud console.

Login URL ETA
https://dashboard.confer.net/ October 23
https://defense.conferdeploy.net October 23
https://defense-prod05.conferdeploy.net October 24
https://defense-eu.conferdeploy.net October 24
https://defense-prodnrt.conferdeploy.net/ October 24


CB Defense

Detection analytics improvements

Living off the Land Binaries and Scripts (LoLBas) have become increasingly popular tools for cybercriminals. These types of attacks leverage native, signed, and pre-installed applications in malicious ways.

We’ve added improved detection of attacks that leverage native Windows applications to perform malicious activity (Living off the Land attacks), as well as other techniques such as accessibility debugger abuse, user account control bypass, and system log deletion.

We’ve also reduced high-impact false positives on macOS related to ransomware and reverse shell attacks, as well as ransomware behavior from Windows asset management applications.
 

The following list of improvements provide additional details:

Type

Name

Description

Enhanced Detection

Command Interpreter Downloads

Enhanced detection of command interpreters reaching out to common sites used by attackers to host malware.

Enhanced Detection

Accessibility Debugger Abuse

Enhanced detection of attackers modifying debugger executables, potentially allowing for command prompt access without logging in.

Enhanced Detection

User Account Control Bypass

Enhanced detection of certain native Windows applications being leveraged to escalate privileges and bypass User Account Control.

Enhanced Detection

System Log Clearing

Related to attackers leveraging the fsutil command to clear system logs and disk transactions to hide malicious activity.

False Positive

Ransomware

Eliminated false positive alerts related to certain Windows asset management applications performing ransomware-like behavior.

False Positive

Ransomware (macOS)

Eliminated false positive alerts related to common macOS developer tools performing ransomware-like behavior.

False Positive

Reverse Shell (macOS)

Eliminated false positive alerts related to certain applications performing reverse shell-like behavior.

 


CB LiveOps

Search on Recommended Queries

We’ve added a search bar on the Recommended tab of the New Query page to make it easier for you to find the right queries to run in your environment. You can search for any keyword found in the query name, description field, or SQL (including the SQL table itself). The search term will be highlighted in all relevant results to provide additional context.

image1.png

 

Edit Recommended Queries SQL

Authored by Carbon Black cybersecurity experts, our Recommended Queries are now easier to modify and tailor to your environment with the addition of the Edit SQL button.

Click the + in the Recommended Query card of your choice, and then click Edit SQL. The SQL Query tab displays and you can edit the SQL as needed before running it in your environment. Any policy or endpoint selections made on the Recommended tab will display in the SQL Query tab for a seamless editing experience.

image2.png


 
September 18, 2019 

Release calendar

The following table provides a general timeline for when you can expect to see these changes in the Carbon Black Cloud console. Please reference the URL that appears in your browser when you sign into the Carbon Black Cloud console.

Login URL ETA
https://dashboard.confer.net/ September 18
https://defense.conferdeploy.net September 18
https://defense-prod05.conferdeploy.net September 18
https://defense-eu.conferdeploy.net September 25
https://defense-prodnrt.conferdeploy.net/ September 25

 


Carbon Black Cloud

Enriched Events tab (CB Defense and CB ThreatHunter only)

enriched events dj.png

If you use CB Defense and CB ThreatHunter together, the new Enriched Events tab on the Investigate page lets you search through all events that are enhanced with CB Analytics data. This page includes:

The ability to take action on these events.

The ability to view the reputation of all files that are associated with these events.

Clear indicators if an event is linked to an alert.

enriched events 2 dj.png

Carbon Black Cloud API enhancements
 
Enhanced alert APIs and use case workflows
We have extended the capabilities of the Alert API by improving the methods of retrieving alerts and adding functionality to manage the workflow by updating the alert status. This lets you efficiently call an API by providing a wide range of filtered fields, and provides the ability to dismiss alerts. 
 
Device management and actions
We have extended the capabilities of the Device API. We've improved the methods of retrieving device information, and added functionality to perform actions. You can efficiently call an API with a wide range of filtered fields, and perform actions on individual devices such as quarantine/unquarantine, enable or un-enable bypass, or upgrade to a new sensor version.
 

CB Defense

Detection analytics improvements

In recent years, Living off the Land Binaries and Scripts (LoLBas) have become increasingly popular tools for cybercriminals. These types of attacks leverage native, signed, and pre-installed applications in malicious ways.

We’ve added improved detection of attacks that leverage native Windows applications to perform malicious activity (Living off the Land attacks) as well as other techniques such as lateral movement across the environment, deletion of Windows registry keys, and system log deletion.
 
We’ve also reduced high-impact false positives that are related to an application injecting code into another application.
 

The following list of improvements provide additional details:

Type

Name

Description

Enhanced Detection

InstallUtil Malicious Network Connections

Related to attackers leveraging Installutil (a Windows tool that is typically used to install server resources), to establish potentially malicious network connections to sites that are not typically used by Installutil.

Enhanced Detection

Mshta Powershell

Related to Mshta (a Windows process that is typically used to execute HTML applications), invoking potentially malicious PowerShell scripts.

Enhanced Detection

Indirect Commands

Related to Forfiles, Windows process executing commands without directly invoking the command line.

Enhanced Detection

System Log Clearing

Related to attackers leveraging the Wevtutil command to clear system logs and disk transactions to hide malicious activity.

Enhanced Detection

Lateral Movement

Related to attackers leveraging Windows Management Instrumentation (WMI), which provides status of local or remote systems, for lateral movement purposes by executing PowerShell on behalf of another machine.

Enhanced Detection

Windows Defender Modification

Related to attackers leveraging PowerShell updating Windows Defender registry keys, opening up potential security holes in the system.

Enhanced Detection

Double File Extensions

Related to attackers utilizing double file extensions (for example, memo.doc.js, report.xls.vbs) to deceive users and execute malicious scripts.

Enhanced Detection

Windows Registry Keys

Related to attackers making suspicious entries to Windows registry keys (particularly Run/RunOnce), potentially resulting in malicious applications that execute upon login.

Enhanced Detection

macOS Gatekeeper Bypass

Related to attackers launching suspicious binaries from the /net directory (traditionally reserved for NFS-mounted shares).

False Positive

System Injection

Eliminated false positive alerts that were related to a Windows command line tool injecting into a system process.

False Positive

Injection

Eliminated false positive alerts related to certain Windows cloud drive tools injecting into other system processes.

 


CB LiveOps

Live Query console improvements

A series of console improvements makes Live Query easier to use and provides space for future additional functionality. We divided the original Live Query page into two separate pages under one link in the navigation bar:

LQ Nav Bar dj.png

 

To craft a new query, click Live Query and then click New Query. To review results of past or currently-running queries, click Query Results

We redesigned the Recommended tab to make it easier for you to find pre-built queries. At the top of the new tab, five categories help you find and filter the best queries based on your use case. The default category is All, which lets you browse through all queries. Click a category filter to show only the queries that exist in that category. 

We moved the Email feature to the top navigation pane. Your selection persists across sessions; if you uncheck a selection, it remains unchecked until you check it again.

LQ Categories dj.png

We added an OS filter to help you find queries for a specific operating system. You can select multiple operating systems; the query list shows queries that match any of the selected operating systems.

LQ OS Filter dj.png

Queries now run against all endpoints by default, which makes it easier to query against all endpoints that are running a selected operating system. You can still query on selected policies and endpoints. If you select a policy or endpoint type, the Run button is un-enabled for queries that are incompatible with your selection. For example, if you select a Linux endpoint, the Run button on Windows-only and macOS-only queries is un-enabled. The Run button is also un-enabled if you do not have any active endpoints of that operating system in your environment.

LQ - Disabled Run dj.png

We redesigned pre-built queries. For each query, we added expected results and the frequency with which to run each query. Click the + button on a query card to display the SQL equivalent of that query.

LQ SQL expando dj.png

When you click the Run button, a green notification confirms that the query has successfully started.

LQ Toast dj.png

 

The Query History table is now on the Query Results page. You can view the status and results of currently-running or past queries.

LQ Query Results page dj.png

Device view status and improvements

To provide extra context into what happens after you click Run, we improved the query-specific Results pages. We reordered the tabs so that the Devices tab now displays before the Results tab. You can get details on matches for a specific device by clicking the blue number under the Results column. All specific and granular data remains in the Results tab.

LQ-Statuses dj.png

 

We added the Response Pending status in the Devices tab to give more insight into how a query is progressing. In the Response filter and in the API, this field is called not_started. This status appears for any device that has not checked in with the cloud since the query was run. An active endpoint can often take 5 minutes or less to respond; devices that remain in the Response Pending status might be offline. If these devices remain offline for the seven day period during which the query is run, they will stay in Response Pending even after the query is marked Completed.
 
Removal of the Query Builder
We removed the Query Builder tab based on customer feedback. For more information about this decision, refer to this blog postYou can still query on all the osquery tables that you ran in the Query Builder by writing or copying queries in the SQL Query tab. See osquery schema and an Introduction to SQL.

CB ThreatHunter

New URLs

We changed the prefix for the Investigate page URL. For example, in the PROD05 environment, the URL for the Investigate page is now https://defense-prod05.conferdeploy.net/cb/investigate.

We removed /threat-hunter/ from the Process Analysis page URL. For example, in the PROD06 environment, the URL for the Process Analysis page is now https://defense-eu.conferdeploy.net/analyze.

New search field

All searches for sensor_action:BLOCK can now be accomplished by searching for sensor_action:DENY. We made this change to ensure consistent terminology throughout the platform. The sensor_action value of DENY (and previously BLOCK) describes the action of the Carbon Black Cloud sensor preventing a process from starting.

Please update scripts and CB ThreatHunter Watchlists to use the new sensor_action:DENY value for any places where you previously searched for sensor_action:BLOCK.


 
August 2019
 

August 30

August 19

August 5

 

August 30, 2019 


CB LiveOps

Query History Table and Status Bar improvements

To make Live Query results easier to interpret, we consolidated the Query History Table. Based on user feedback, we removed the Matches and Last Result columns, rearranged the remaining columns, and added three new device-centric columns:

Responded: These devices have run the query and returned results back to the cloud by successfully matching the query (one or more results returned), not matching the query (zero results returned), or returning with an error.

In Progress: These devices have received the query and are in the process of running it and uploading results. 

Response Pending: These devices have not yet received the query. This can include devices that are offline or that have not checked in since the query was started.

We removed the Timed out query status because it caused confusion. A query can now be completed if all devices have responded or if seven days have elapsed.

LQ query history table dj.png

We changed the progress bar on the individual query results page. The progress bar shows the same information that is available on the Query History table, with the addition of a device count. It will dynamically update as devices respond.

LQ Progress bar dj.png

CB ThreatHunter

Favorite search improvements

When a Favorite Search is selected on the Investigate page, it will replace the existing search bar contents rather than append the Favorite Search to existing text. This change was made based on customer feedback.

Improved search field: enriched

We renamed the legacy search field to enriched in Investigate and Process Analysis search interfaces to more accurately reflect the returned results.

When searching in Investigate for analytics-enriched results, search supports enriched:true as the best way to find those events and processes.

All future Watchlist IOCs should migrate to using enriched:true and remove legacy:true.

The search interface and all Watchlist IOCs support both enriched and legacy search fields for at least six months, after which time the support for legacy will be removed.


August 19, 2019 

CB LiveOps

Improved In Progress visibility

We have added an In Progress status in the Devices tab to give more insight into a query. This status appears when a device has checked in with the cloud backend, which has received the query and is running the query and uploading results.

LQ Device View - In Progress .png

Additional recommended queries

Since our last release, we have more than doubled the number of recommended queries that are available in the Recommended tab. These queries are expertly crafted by our internal threat research team and CB LiveOps experts. For more queries, check out our public Query Exchange.


CB ThreatHunter

Save favorite searches

CB ThreatHunter now lets you save favorite searches. There are two new icons on the Investigate page: a star symbol and a down-arrow.

Type a search into the search bar.

Click the star icon. You can optionally rename the search.

Click Save.

After a favorite search is saved, any user can re-run that search. Click the down arrow to view searches. Click the favorite search to add that search to the search bar.

Favorites list.png

 

Users who have the Analyst 3, Admin, and Super Admin roles can perform the following actions based on the threathunter.events permission:

Rename favorite searches

Remove favorite searches

If you run the same search one or more times each day, consider using the Add search to threat report feature to create a custom automated Watchlist. This will run your search in the background 24 hours a day, potentially alerting you to any matches on that search.

You can use favorite searches as building blocks. If you frequently use the same set of search terms, you can create a Favorite that includes that sequence, and append it to situation-specific searches.

For example, you might frequently search for an activity that originates from a large number of web browsers. Perhaps one day you're searching for any time that browsers have connected to a potentially malicious domain, and another day you're searching for browser activity that loaded a potentially malicious module. You can type out the entire search each time; for example: 

netconn_domain:hackerz.tech AND (process_name:chrome.exe OR process_name:firefox.exe OR process_name:microsoftedge*.exe)

modload_hash:6426cf806ecfc1432326bd4e0c9d0bba25b8db8ff5a79ef2722e7ddd889a8f30 AND (process_name:chrome.exe OR process_name:firefox.exe OR process_name:microsoftedge*.exe)

Or, you can create a Favorite with  search process_name:chrome.exe OR process_name:firefox.exe OR process_name:microsoftedge*.exe and name it "Browsers".

The next time your search includes all browsers, you can type out the specifics of the unique search, open the list of Favorites, and select the "Browsers" favorite. CB ThreatHunter will append the Favorite's contents into the search bar and add it to your search query.

New search fields

We’ve introduced two new search fields:

enriched:true — Helps you find all CB Defense data that is enriched by the Carbon Black Cloud analytics engine.

process_cmdline_length — Lets you find processes that were launched by using a lengthy command line (for example, process_cmdline_length:[100 to *]).


August 5, 2019

 

Carbon Black Cloud

Relative time zones

When a date and time are displayed in the console, a tool tip now indicates the relative timezone.

For example, if the device time is reported as 4:41:37pm Aug 1, 2019, and you are located in the U.S. Pacific time zone (UTC -07:00), the device time data is reported as 4:41:37pm Aug 1, 2019.

When you hover your mouse over the device time cell, a tool tip shows the timezone into which the timestamp has been converted (for example, UTC -07:00).

Prevent users from changing their roles

Carbon Black now restricts user from changing their role to protect users from accidentally demoting themselves into a role with fewer permissions. Because users could never promote themselves into a role with more permissions, self-demotions required a more powerful user to reverse the change. These situations are now avoided.


CB ThreatHunter

New search fields

Search field Description Examples

process_cmdline_length

Helps track down processes that have unusually long command lines.

search for process_cmdline_length:[100 TO *]

enriched

Helps surface the behavior-based event data that is provided by CB Defense.

Note: This field was added to sensor data on July 17, 2019. It will take 30 days until all data is tagged with this new field.

search for enriched:true to find all enriched data

search for -enriched:true to find all non-enriched data


Carbon Black, Inc. | 1100 Winter Street, Waltham, MA 02451 USA | Tel: 617.393.7400

Copyright © 2011–2019 Carbon Black, Inc. All rights reserved. Carbon Black, CB Defense, CB ThreatHunter, CB ThreatSight, and CB LiveOps are registered trademarks and/or trademarks of Carbon Black, Inc. in the United States and other countries. All other trademarks and product names may be the trademarks of their respective owners.

 

Release Date Product Issue ID Description
January 24, 2022 All DSER-37462

"Equality" type IOCs for certain fields (for example, process hash, netconn_ipv6, etc.) are combined for optimized evaluation. 

Before this fix, only one IOC would trigger a hit, even if there were more IOCs for the same field with the same value.

After the fix, all IOCs for the same field with the same normalized value will produce a hit, regardless of whether the IOCs are in different reports or the same report."

January 24, 2022 All DSER-38285

Dashboard to Vulnerability filters were not showing properly.

January 24, 2022 All DSER-35926

Modified email notifications to include an Alert Type selector, which includes a new container runtime option.

January 13, 2022 All DSER-37956

Data Forwarder user interface inaccurately reported connection test was successful.

January 13, 2022 All DSER-37701

Endpoints page crashed when updating all sensors without a proper searchDef.

January 13, 2022 All DSER-36396

Clicking on the Basic button twice on the Data Forwarders page toggled the Filter Data section between Basic and Custom Query, rather than staying always in Basic mode.

January 13, 2022 All DSER-34238

You can now easily move widgets on the dashboard.

December 17, 2021 All DSER-34722

The alert banner now disappears from the process analysis page after dismissal.

December 17, 2021 All DSER-34782

The Data Forwarder editor page now displays a small notification with an Undo button when a filter is deleted.

December 17, 2021 All DSER-35865

The dismissal window was showing an incorrect alert count for alert groups containing dismissed alerts.

December 17, 2021 All DSER-36377

The SHA256 hash is correctly presented for alerts with an IP address threat cause and command line arguments in the threat cause name.

December 17, 2021 All DSER-36533

Updated URL for Data Forwarder pages in CBC UI from /event-forwarder to /data-forwarder.

December 17, 2021 All DSER-37375

The Investigate page now presents a full URL that you can bookmark.

December 6, 2021 All DSER-36688

Fixed an issue where an error message for the Endpoints tab is sometimes echoed when switching to the Workloads tab.

December 6, 2021 All DSER-36816

Event Forwarder alert type configurations with empty filters are correctly saved.

December 6, 2021 All DSER-36867

More concise text for alert dismissals.

December 6, 2021 Managed Detection and Response DSER-37222

The correct Managed Detection fields display in all configurations.

November 18, 2021 All DSER-36673

Fixed an issue where the alert type facet response in the Alerts V6 API would return names of alert types that the organization does not have enabled. Alert type counts now only reflect alert types that pertain to enabled products.

November 18, 2021 All DSER-35620

Fixed accessibility issues. Added keyboard listeners and focus on tab for sortable table columns, policy panel, watchlist rows, etc.

November 18, 2021 All DSER-35615

Added focus and keyboard listener for left navigation collapse button.

November 18, 2021 All DSER-35461

Added a daily summary report for Managed Detection and Response customers.

November 1, 2021 All DSER-35124

Reassess Link is clickable when VM is powered off.

October 27, 2021 All DSER-35004

Avira Sigpacks are now returned by default for WORKLOADS and VDIs when searching for sensor kits.

October 27, 2021 All DSER-35199

Vulnerabilities VMs and Endpoints side panel closes when severity or filters are updated.

October 27, 2021 All DSER-35533

Search query persists when switching tabs in Vulnerabilities.

October 27, 2021 All DSER-35768

The mac sensor installation email has been updated to reflect current macOS kits. Version 10.14 and earlier are no longer supported through the console.

October 27, 2021 All DSER-34354

Moved the alert count and device information from the dismissal modal header to the modal itself. The new string contains the number of alerts being dismissed as well as the device name, or number of devices, with alerts in the dismissal.

October 27, 2021 All DSER-34547

When alerts are grouped and the result cap is exceeded, the result count will now display "Showing 10,000 of 10,000+ results" instead of always showing "Showing 10,000 results" regardless of the total count.

October 27, 2021 All DSER-34552

A link was added to the dismiss for future criteria section that will show all alerts belonging to the same threat ID.

October 27, 2021 All DSER-35549

Investigate’s Enriched Events tab no longer submits a full search when the page loads. It is now consistent with the Processes tab, which populates the Filters panel and only submits a full search when requested by the user.

September 27, 2021 Workloads DSER-33553

Fixed the chart data for VM Workloads overview and the navigation to the VM Workload inventory page.

September 27, 2021 Workloads DSER-34769

The new facets - OS, Sensor Version, Signature Status and Golden Image Status can be applied while exporting the inventory grid data.

September 27, 2021 Workloads DSER-34852

Fixed the missing page title for VM Workloads page.

September 27, 2021 Workloads DSER-34856

Fixed the navigation from Sensor Update Status asset link to the workload not enabled tab.

September 27, 2021 All DSER-34662

Re-assess now option is available to the non supported OS devices under inventory.

September 27, 2021 All DSER-34959

Endpoint Standard: Vulnerabilities pages are automatically switching back to page 1 in the Endpoints page.

September 27, 2021 All DSER-34865

Vulnerability Column Displays On Endpoints Page Even If Not Enabled.

September 27, 2021 All DSER-34871

Side panel should close when performing a search.

September 27, 2021 All DSER-35120

Changing filter, severity, "view by" not resetting pagination to page 1 (VMs and Endpoints Vulnerabilities).

September 17, 2021 Workloads DSER-34580

Endpoint - parent image link should navigate to the endpoint when the Workload Management feature flag is set to HIDE.

September 17, 2021 Container Essentials GRC-1499

Various bug fixes in image scanning pages.

September 17, 2021 Container Essentials GRC-1387

GET image "overview" API returned 500 error when an image was not found.

September 17, 2021 Container Essentials GRC-1079

rscan container images after a feed update.

August 26, 2021 All DSER-29279

Updated the search result count that displays above tables for Alerts, Investigate, Process Analysis and Watchlist pages. These were updated to use new API fields to represent how much data was processed for each query.

August 26, 2021 All DSER-29546

Updated all content references to background scan actions from “Enable/Disable” to “Start/Stop"

August 26, 2021 All DSER-33147

All instances of the target value bars are converted to textual representations.  The value “mission critical” is changed to “critical”.

August 26, 2021 All DSER-33248

Updated the Process Analysis Tree to exclude the target node from hash-based node grouping.

August 26, 2021 All DSER-33591

Updated policy rule paths to preserve whitespace as entered and scroll horizontally to display long paths.

August 26, 2021 All DSER-33765

Minor console labels and content changes.

August 26, 2021 Endpoint Standard DSEN-14615

Exclusions are added to Credential Theft protections to exclude yara scanning of signed OS binaries.

August 26, 2021 Endpoint Standard UAV-2148

Windows sensor version 3.6.0.2121 is required for newly-released Privilege Escalation detections and blocking.

August 26, 2021 Prevention CBC-7654

Fixed an issue where some dynamic prevention rules for Windows assigned by Carbon Black were behaving incorrectly in Prevention organizations.

July 16, 2021 All DSER-31350

User information (user name) in the CSV file exported from the Endpoints page properly reflects the current logged user.

July 16, 2021 All DSER-32471, DSER-29285

Live Response command parsing better handles whitespace in file paths and double-quote marks in exec and execfg commands.

July 16, 2021 All DSER-28159

Organization deregistration workflow removes pending admin invite entries so new users cannot be added to deregistered orgs.

July 16, 2021 All DSER-33238

Fixed a bug introduced in 0.67 where a user’s email could only be used to register once. This fix restores the ability to delete a user to re-use the associated email.

July 16, 2021 All DSER-26728

Endpoint registration request allows a new pending invite entry on the Endpoints page for users who already have a registered device.

July 16, 2021 All DSER-33198

If you logout on any page with persistence and then log back in again, the data persists.

July 16, 2021 All DSER-32886

Enforced the 255-character limit in the console for the Alert Notes Text Field.

July 16, 2021 All DSER-32956

VM Workloads - Active Directory Distinguished Name added to the table side panel.

July 16, 2021 All DSER-33445

Fixed an issue on the Process Analysis page where the detailed descriptions of childproc events were occasionally missing.

July 16, 2021 Workloads CBC-7688

Inventory sync from the appliance did not occur due to start-up failure of inventory services.

June 25, 2021 All DSER-28547

Duplicate attributes in search query were returned by the Policy Preventions test rule feature.

June 25, 2021 All DSER-25795

Updated Manage Devices and Download Sensor Kit subroles descriptions in the Carbon Black Cloud Console.

June 25, 2021 All DSER-25404

Fixed presentation of Name/Description in the Carbon Black UI API Access page to properly add a space.

June 25, 2021 All DSER-27451

Fixed the virtualizationProvider field to properly use double quotes when the value contains commas in the .csv file that is exported from the Carbon Black Cloud Console Endpoints page.

June 25, 2021 All DSER-29835

Fixed Carbon Black Access Service to properly handle special characters in Access Level name.

June 25, 2021 All DSER-31820

A race condition sometimes caused an alert to remain undismissed when using the dismissing-for-future command on a single alert.

June 25, 2021 All DSER-32679

The Remediation card in the Alerts sidebar could hang in the loading state for some alerts.

June 25, 2021 All DSER-32291

On the process tree, grouped nodes were not correctly selected on the page load/click of the primary process link.
Updated the process tree nodes to indicate when a grouped node contains processes with the same hash running in multiple file paths.

Sorts sibling nodes alphabetically in the tree. 

June 25, 2021 All DSER-31795

Long Search (that is, a Search having 2940 character) caused Endpoint Export to Not Download.

June 25, 2021 All DSER-31952

Fixed the flow of generating new company codes (registration/deregistration) use case, to avoid generation of the codes due to accidental clicking of Generate New Code button. User Confirmation is seeked before generating the new code.

June 25, 2021 All DSER-32685

Double-clicking values in the alert event field closed the expanded event row. Issue was also observed on Endpoints, Enriched Events (Alerts Triage) pages, etc.

June 25, 2021 All DSER-32864

Added specific error message instead of generic message when vulnerabilities API failed to know the reason for failure.

June 25, 2021 Container Essentials GRC-625

The validate-resource command in the cbctl returns the rule name instead of the rule ID.

June 25, 2021 Container Essentials GRC-624

Fixed a bug in policy ordering (enforcement) when the org has a policy with a scope of a cluster group.

June 25, 2021 Container Essentials GRC-646

Fixed the stability with Create Vulnerability exceptions.

June 25, 2021 Container Essentials GRC-1084

Cleaned the images with the delete cluster operation.

June 25, 2021 Container Essentials GRC-658

Fixed the distro version in the image overview page.

June 25, 2021 Container Essentials GRC-1117

Fixed the Add Scope wizard view in Safari.

June 25, 2021 Container Essentials GRC-1114

The description field is now optional in the CLI setup wizard.

June 25, 2021 Container Essentials GRC-1116

Improvements in the tables on the K8s Workloads, K8s Violations, K8s Risks and K8s Images pages.

June 25, 2021 Container Essentials GRC-654

Fixed the org summary numbers in the Vulnerabilities page.

June 25, 2021 Container Essentials GRC-1127

Fixed the Vulnerability API that can return CVSS V3 fields with empty strings.

June 25, 2021 Container Essentials GRC-665

Fixed the inconsistency in workloads count in the K8s images page and the workloads shown in the tab.

June 25, 2021 Container Essentials GRC-586

Deleting a CLI instance will now delete the API token that is associated with it.

June 8, 2021 Workloads DSER-32600

Added hyperlink for kb resource value in Vulnerabilities and Assets view.

June 8, 2021 Workloads DSER-32601

Added hyperlink for CVE name in Vulnerabilities and Assets view.

May 27, 2021
All DSER-30864

Audit log generated on sensor uninstall now properly identifies the uninstalling user.

May 27, 2021 All DSER-29041

Users could not delete a pending sensor when the same user had an active sensor.

May 27, 2021 Enterprise EDR LC-977

Watchlist API falsely returns a 200 response when attempting to enable Alerting on these threat intelligence feeds: ATT&CK Framework, Carbon Black Early Access Indicators, Carbon Black Endpoint Visibility, Carbon Black Suspicious Indicators. The change to disable Alerting on these feeds is documented on the VMware Community site here.

May 27, 2021 Prevention DSER-32262

Prevention customers did not have full visibility into the process name, including the full process path, within the Alert Triage page. You can now view the full process name in the right-hand process card in the Alert Triage page.

May 3, 2021 All DSER-31506

Added the Container Security and Cloud Workload Protection products to the product dropdown to show whether they are enabled.

May 3, 2021 All DSER-31178

Detail data now opens when switching to details view for any asset on the VMware workloads tab under Inventory.

May 3, 2021 All DSER-31709

Changed the Assets with Critical Vulnerabilities label to VMs with Critical Vulnerabilities on the Dashboard and changed the Critical Vulnerabilities label to VMs with Critical Vulnerabilities.

May 3, 2021 All DSER-31728

Vulnerability details now display in the full screen under the Inventory tab for Mozilla and Safari browsers.

April 26, 2021 All DSER-24211

In Event Forwarder endpoint.event.moduleload events, added the following fields:

  • scriptload_content
  • scriptload_content_length
  • scriptload_count
  • scriptload_effective_reputation
  • scriptload_hash
  • scriptload_name
  • scriptload_publisher
  • scriptload_publisher_state
  • scriptload_reputation
April 26, 2021 All DSER-29838

***Changes went live on 3/22 and were communicated via Developer Network before then.

  • Any existing Event Forwarder configs that filter on endpoint.event.netconn were updated to include endpoint.event.netconn_proxy.

  • Any existing Event Forwarder configs that filter on endpoint.event.moduleload were updated to include endpoint.event.fileless_scriptload and/or endpoint.event.scriptload.
April 26, 2021 All DSER-29634

Added crossproc_target field to the Event Forwarder schema.

April 26, 2021 All DSER-28908

Added support to Event Forwarder for a new event type: endpoint.event.netconn_proxy.

April 26, 2021 All DSER-30773

Customer was seeing multiple -- in their process_guid for events forwarded by Event Forwarder.

April 26, 2021 All DSER-31424

The Alerts table now shows the grouped alert count in the Device column even when all alerts in the group were from a single device.

April 26, 2021 All DSER-30677

Fixed an issue where notes present:true would sometimes be included in CB Analytics alerts without notes present.

April 26, 2021 Audit and Remediation DSER-26891

A mismatch in timestamps was reported by Live Response dir and execfg cmd /c dir commands.

April 26, 2021 Container Essentials GRC-570

Cluster deletion instructions are provided upon deleting a cluster.

April 26, 2021 Container Essentials GRC-559

Policies no longer have the Draft status. They are Disabled instead.

April 26, 2021 Container Essentials GRC-557

When clicking the violations count in the Policies page, the details will now open in a popup/

March 18, 2021 All DSER-27474

Retrieving audit logs with an API connector key only returned results the first time the connector key was used.

March 18, 2021 All DSER-29675

Console-initiated sensor upgrades targeting all sensors failed to include some sensors after paging through the device list.

March 18, 2021 All DSER-30800

Enhanced Carbon Black Cloud internal user creation API to limit the role of the user invoking the user creation API. This restriction was enforced by the UI but not by the internal API.

March 18, 2021 Workloads DSER-29129

Could not move device to auto-assign when already under manual-assign.

March 18, 2021 Container Essentials GRC-530

K8s Harden > Saved Searches now allows changing the scope for a saved search.

March 18, 2021 Container Essentials GRC-350

Fixed detection of workloads exposed by a service (relevant to the Expose by service rule of a K8s policy).

March 18, 2021 Container Essentials GRC-321,
GRC-516

Custom queries now support the kind, group, and version fields.

March 18, 2021 Container Essentials GRC-482

Custom queries now support the namespace resource.

March 18, 2021 Container Essentials GRC-356

After cluster deletion, cluster data reappeared in some cases.

March 18, 2021 Container Essentials GRC-533

Dataplane now supports HTTP proxy.

March 18, 2021 Container Essentials GRC-543

The messageproxy (events ingress) port has changed to 443 to comply with the standard TLS port.

March 2, 2021 All DSER-28956

If a field had a null value, that empty field was not included in the forwarded event.

March 2, 2021 All DSER-28952

Both the crossproc and apicall event types in Event Forwarder include a field that specifically identifies the API call/function.

March 2, 2021 All DSER-28953

Event Forwarder includes a crossproc_guid field.

March 2, 2021 All DSER-29826

Event Forwarder data sometimes had an empty value for event_origin.

March 2, 2021 All DSER-29564

Added Big Sur as an option for OS_MAJOR_VERSION.

March 2, 2021 All DSER-29705

Intermittent issue in which the dashboard widgets showed 0 values.

March 2, 2021 Endpoint Standard EA-18149

Prospect bypassed AMSI Prevention during Evaluation.

March 2, 2021 Enterprise EDR LC-673, EA-17797

The service will now return sorted results even if the sort field is not included in the request.

March 2, 2021 Enterprise EDR LC-681, EA-16429

Some event_ids were not visible through the console or the API.

March 2, 2021 Enterprise EDR DSER-30019

The Investigate page could show events search results on the Processes tab and vice versa.

March 2, 2021 Enterprise EDR DSER-26469

Operators (AND, OR, NOT) were not highlighted when written back-to-back in the Investigate search bar.

March 2, 2021 Container Essentials GRC-518

Fixed the Kubernetes Search page to display saved searches with long names.

March 2, 2021 Container Essentials GRC-505

Fixed the Kubernetes Workloads page to display long cluster names.

March 2, 2021 Container Essentials GRC-506

Fixed the Kubernetes Health > Risks tab to display long cluster names.

March 2, 2021 Container Essentials GRC-504

Added alphabetical order for the rules drop-down in the Kubernetes Search > Search tab.

March 2, 2021 Container Essentials GRC-503

Fixed the table sorting in the Kubernetes Policies > Rules page.

March 2, 2021 Container Essentials GRC-502

Fixed the locale of the table headers in some Kubernetes pages.

March 2, 2021 Container Essentials GRC-444

Added support for the read-only role for the Kubernetes pages.

January 25, 2021 All DSER-19110

Enhanced CBC SSO to protect user information when users login using SSO in a shared workstation. This should force new users to login if previous users do not explicitly logout of SSO.

January 25, 2021 All DSER-26231

Added a new subrole "View Org Information", replacing "View Org Information and Codes" in the standard analyst and view-only roles. This means those roles (Analysts 1, Analyst 2, Analyst 3, View All, and View Only - Legacy) can no longer see sensor install/uninstall codes. API roles built on the existing subroles will continue to function as before.

January 25, 2021 All DSER-29137

Made sure that a 400 HTTP return code is returned when deleting a rule set assignment for an organization that does not have a rule set assigned.

January 25, 2021 All DSER-28224

Improved the performance of persisting the last contact time.

January 25, 2021 All DSER-25323

Added the ability to see signature pack creation dates.

January 25, 2021 All LC-689

The legacy_alert_id field was missing in the Watchlist Alert API data.

January 25, 2021 All DSER-29336

The Triage Alert graph's policy action shield was missing despite the node having a POLICY_DENY or POLICY_TERMINATE TTP.

January 25, 2021 All DSER-29317

Added markdown link support to the Dashboard's TauTin widget.

January 25, 2021 All DSER-29222

Threat-level notes_present and tags_present are now supported for all Alert types.

January 25, 2021 All DSER-29194

The Endpoint Health widget on the Dashboard page only displayed data for Endpoints and not VM Workloads.

January 25, 2021 All DSER-29098

Investigate Alert Details (in the Investigate table side panel) now shows the proper alert id and Process Analysis link for Watchlist Alerts.

January 25, 2021 All DSER-29097

The Triage Alert page no longer appears blank if the alert was not in the scope of the alerts search; this was most commonly seen in alert dismissals on the Triage Alert page.

January 25, 2021 All DSER-28597,
DSER-28510

Time filter time spans and on-change functionality is aligned between the Alerts, Investigate, and Dashboard pages.

January 25, 2021 All DSER-20961

Triage Alerts links are added to the Investigate Events table for events associated with Alerts for Endpoint Standard customers.

January 25, 2021 All DSER-29202

Correctly display the operating system version when sensors are running on MAC OS 11.

January 25, 2021 Endpoint Standard DETECT-2320

The ThreatCategory wasn't correctly set to KNOWN_MALWARE in some situations, even though analytics was correctly identifying malware.

January 25, 2021 Audit and Remediation DSER-28332

The Live Query Query Asset button disappeared when searching by deviceType or sensorVersion.

January 12, 2021 Workloads CWP-3966

The on-premise appliance relies on an API key to communicate and register with the Carbon Black Cloud. If this key is deleted from the Carbon Black Cloud after an appliance is registered, then the appliance incorrectly displayed a successful registration status.

December 16, 2020 All DSER-21690

A user's favorite saved search that had been deleted was restored at times.

December 16, 2020 All DSER-28552

Policy Action notifications for device control alerts did not always trigger.

December 16, 2020 All DSER-27473

MSSP users could not submit feedback via the console.

December 16, 2020 Endpoint Standard DSER-28188

Some network-related detections were missing information about the hosts that attempted to connect to and/or scan customer endpoints.

December 16, 2020 Endpoint Standard DSER-28967

Improved the handling of requests from sensors to make sure that the lastContactTime is updated with minimal delay.

December 16, 2020 Endpoint Standard DSER-28909

Login issue after database upgrade.

December 16, 2020 Endpoint Standard DSER-20913

Dashboard endpoint health widget did not match the enrollment page.

December 16, 2020 Endpoint Standard DSER-20496

Could not delete admin accounts when linked to multiple orgs.

December 16, 2020 Endpoint Standard DSER-28962

Unable to quarantine devices from the Remediation option on the Alerts page.

December 16, 2020 Endpoint Standard DSER-28420

Device Control - Approvals/_search and device/_search defaulted to 0; if a request was sent without rows, it returned an empty list. 

December 16, 2020 Endpoint Standard DSER-28419

Device Control - Audit log did not show wildcards for PID.

December 16, 2020 Endpoint Standard DSER-28399

Device Control - Edit approval endpoint did not return vendor name and product name.

December 16, 2020 Endpoint Standard DSER-28397

Device Control - Errors in checkaccess middleware returned application/json content type.

December 16, 2020 Endpoint Standard DSER-28386

Device Control - v1/v2 APIs used RFC3339 time formatting.

December 16, 2020 Endpoint Standard DSER-28336

You could get a block by ID; product returned a 404 error for a block that was soft-deleted.

December 16, 2020 Endpoint Standard DSER-28286

Device Control - 409 error handling on approval edit.

December 16, 2020 Endpoint Standard DSER-28284

Device Control - Devices with soft-deleted approvals still showed APPROVED status.

December 16, 2020 Endpoint Standard DSER-28262

Device Control - Ensure All routes that change database state use audit logging.

December 16, 2020 Endpoint Standard DSER-27397

Device Control - Add Max Size for CSV uploads.

December 16, 2020 Endpoint Standard DSER-27393

Device Control - Get Approval by ID endpoint.

December 16, 2020 Endpoint Standard DSER-27336

Device Control - Update all APIs to accept and respond to VID/PID as hex strings instead of ints, and create V3 of all APIs.

December 16, 2020 Endpoint Standard DSER-27287

Device Control - Deprecated POST /devices and POST /allowlist.

December 16, 2020 Endpoint Standard DSER-27087

Device Control - Updated free text search.

December 16, 2020 Endpoint Standard DSER-26985

Device Control - Deprecated org blocking.

December 16, 2020 Endpoint Standard DSER-26261

Device Control - Updated Device Control DB IDs.

December 16, 2020 Enterprise EDR DSER-29023

Updated label in device details window to reduce confusion

December 16, 2020 Enterprise EDR DSER-20579

Clicking an Investigate table row that’s currently in-view in the right pane resulted in a right pane disappearing.

December 16, 2020 Enterprise EDR DSER-28966

Report Hits section of Process Analysis was generating bad links to the Enabled Watchlists page.

December 16, 2020 Cloud Forwarder DSER-28709

Translate Script Load fields on ModLoad events

December 16, 2020 Cloud Forwarder DSER-28464

Removed dc_ prefix from alert forwarder device control fields.

December 16, 2020 Cloud Forwarder DSER-27381, DSER-27382, EA-17218

Alert Forwarder: Additional tooling to prevent corrupted gzipped files from being sent to S3. Prevent empty files from being sent to S3.

December 16, 2020 Cloud Forwarder DSER-27088

Update Alert Forwarder to deliver DC alerts.

December 7, 2020 All DSER-28453

Removed deprecated subroles from the Roles panel:

  • Dismiss VMware Alarms
  • Initiate VMware Remediations
  • Manage VMware Registration
  • View Virtual Assets
  • View VMware Remediations
December 7, 2020 Endpoint Standard DSER-27986

Non-printable Unicode characters are no longer inserted in display fields for improved line breaking.

December 7, 2020 Endpoint Standard DSER-28792

Could not reset default filters on the Alerts page.

December 7, 2020 Endpoint Standard DSER-28400

Fixed a navigation bug for MSSP users.

December 7, 2020 Endpoint Standard DSER-28665

Improved the display of the Dashboard top alert widgets.

December 7, 2020 Audit and Remediation DSER-28043

Fixed an error when closing a Live Response session through the End my session button.

December 7, 2020 Workloads DSER-27819

Console enhancements based on feedback from beta customers and user research for vulnerabilities:

  • Risk panel now shows some fields that depict whether the vulnerability is exploitable as showing values Yes or No instead of TRUE or FALSE.
  • Fixed clickable values by column (currently only Windows vulnerabilities have a clickable link). 
  • For VMs with unsupported OS for vulnerability but have a Carbon Black sensor installed, a message indicates that vulnerable data is not available due to an unsupported OS version.
December 7, 2020 Workloads DSER-27954 Windows counts are now displayed in graphs for affected assets as well as product vulnerabilities.
December 7, 2020 Workloads DSER-27901

Added total vulnerability count description in the Learn More panel.

The following text is the first line in Learn MoreCheck total vulnerabilities for a count of all vulnerabilities across all VM workloads and products (OS, apps, versions).

November 23, 2020 All DSER-28363 When Policy Rules are displayed in Firefox, line breaks are now correctly used to separate the rules.
November 23, 2020 Endpoint Standard DSER-28113 The in-product Search Guide now correctly displays the available fields for the VMware Carbon Black Cloud product combinations deployed within an organization, for example, Endpoint Standard or Endpoint Enterprise (includes Enterprise EDR).
November 11, 2020 All DSER-12863 Enabled processing of events generated by sensors when malicious files have been detected and removed.
November 11, 2020 All DSER-27526 num_available field is now available in V6 Alert API, matching other APIs.
November 11, 2020 All DSER-26079 The Alerts page search now correctly handles uppercase watchlist names.
November 11, 2020 Endpoint Standard DETECT-2082, EA-17292 The Endpoint Standard sensor was correctly blocking malware from running and the cloud detection analytics were correctly generating an alert, but the alert did not have the correct ThreatCategory of KNOWN_MALWARE.
November 11, 2020 Audit and Remediation DSER-27523 Fixed CBLR Get File timeout errors that were generated while downloading large files.
November 11, 2020 Audit and Remediation DSER-27430 Support for latest stable version of osquery: 4.5.0.
November 11, 2020 Audit and Remediation DSER-27431 New recommended queries using new osquery 4.5.0 tables.
November 9, 2020 Enterprise EDR DSER-27092 Certain fileless_scriptload events could crash the Process Analysis page.
November 9, 2020 Enterprise EDR DSER-28126 The confirmation dialog did not automatically close after a successful request to apply a watchlist to historical data.
October 26, 2020 All DSER-27592 Updated the policy test query to ensure that consistent counts are produced.
October 26, 2020 All DSER-12863 Improved handling of registry auto-delete events.
October 26, 2020 All DSER-27523 Improved handling of very large file downloads via LiveResponse.
October 14, 2020 All LC-406 At the end of multi-line search queries in the Investigate search bar, the cursor insertion point was not displayed in the same place as edits.
October 14, 2020 All DSER-27394 Incorrect error message on alert dismissals.
October 14, 2020 All DSER-27012 Endpoint Standard and Enterprise EDR: Times displayed in the Alert Triage page showed current times for Process Start times.
October 14, 2020 Endpoint Standard DSER-26679 The Investigate page did not show the Selected App option when searching by hash.
October 14, 2020 All DSER-26588, EA-16942 Notification time converter used hours instead of minutes.
October 14, 2020 All DSER-21619 We have reworked the Policy Preview/Operation Attempt search buttons on the Policies page.
October 14, 2020 All LC-113 Facet searches did not return complete data.
October 14, 2020 All DSER-26686 IPv6 addresses of Local IP and Remote IP for Netconn event on investigate are now displayed in the correct order.
October 14, 2020 All DSER-14687 Proper cleanup session when connector/keys are deleted through the CSR user interface.
October 14, 2020 Audit and Remediation DSER-27001, EA-17147, EA-17148 Live Query > Query Results > Scheduled tab did not display data.
October 12, 2020 Endpoint Standard DSER-26998 On the Investigate page, Enriched Events tab > Applications sub-tab, the Delete application action was not available.
October 12, 2020 Enterprise EDR DSER-27437 Fixed process analysis alert integration.
October 12, 2020 Enterprise EDR DSER-27341 Users could only investigate the first query in a multi-query IOC.
September 28, 2020 All DSER-26162 In the Prevention tab on the Policies page, custom applications now allow commas in the path name.
September 28, 2020 Enterprise EDR LC-418 Process Summary v2 API endpoint was missing some process_guid entries in the siblings category.
September 28, 2020 Enterprise EDR LC-417 Process Summary v2 API endpoint was missing some expected fields such as has_children and hits.
September 28, 2020 Enterprise EDR LC-60 On the Process Analysis page and /events/ API endpoint, searching for alert_id values for CB Analytics alerts failed.
September 28, 2020 Enterprise EDR DSER-27199 Submitting a query on the Watchlist Investigate page disabled the left nav.
September 21, 2020 Enterprise EDR DSER-26653 In Watchlists pages, query IOCs did not have color-coded syntax highlighting.
September 21, 2020 Enterprise EDR DSER-26462 On the Investigate page, when a user typed - or + and then accepted a suggested search field name, the - or + character was removed.
September 21, 2020 Enterprise EDR LC-60 Searching on alert_id did not work the same way for Process Analysis (and /events/) as it did for Alerts and Investigate.
September 21, 2020 All DSER-26832 Concurrent database updates blocked each other and resulted in increased latency when processing status messages.
September 21, 2020 All DSER-23258 IP used for audit logging was incorrectly pulled from http header.
September 21, 2020 All DSER-21735 Users with View and Manage API Keys roles could not manage API keys.
September 21, 2020 All DSER-9895 First Admin in an Org Default Role was set to Admin instead of Live Response Admin.
September 21, 2020 All DSER-5907 Admins for a deregistered org could still login to the console.
September 21, 2020 All DSER-24470 Improved user interface for Confirm vs. Save on the Policy page.
September 21, 2020 Audit and Remediation DSER-25134 Running execfg in Live Response returned a write permission error when a command did not result in characters being written to stdout/stderr.
September 21, 2020 Audit and Remediation DSER-25265 Queries that returned a permissions column caused an error on the Query Results page.
September 21, 2020 Enterprise EDR DSER-26583 Some search fields were not properly highlighted on the Investigate search bar.
August 31, 2020 All DSER-26275 Improved error message on upload reputation failures.
August 31, 2020 Enterprise EDR LC-420 Investigate page submit button did not submit search with page defaults.
August 31, 2020 Enterprise EDR DSER-26465 Using arrow keys to select a suggestion replaced the search bar content.
August 31, 2020 Enterprise EDR DSER-26473 When a user deleted a Watchlist from the Watchlists page, the console showed a persistent progress bar.
August 31, 2020 Enterprise EDR DSER-26475 Links from the Investigate page to Process Analysis did not always load the Process Analysis page.
August 31, 2020 Enterprise EDR LC-105 API requests to update reports in a watchlist returned an HTTP 500 error if the value of a new report ID matched an old report ID.
August 21, 2020 All DSER-11426 IP addresses are selectable on the Alert Triage page.
August 21, 2020 All DSER-26171 Fixed broken hyperlinks for scriptload event hash on the Process Analysis page.
August 21, 2020 Enterprise EDR DSER-20308 Crossproc searches for crossproc_target:(true,false) returned the same results.
August 21, 2020 Enterprise EDR DSER-21992 In the Investigate search bar, the cursor insertion point did not display in the same place as edits at the end of multi-line search queries.
August 21, 2020 Enterprise EDR DSER-25762 The v2 Events Facet Search API endpoint always returned num_found: 0.
August 21, 2020 Enterprise EDR DSER-25797 On the Investigate page, the Submit button did not submit a search when no selections were made.
August 17, 2020 All DSER-25564 Endpoints page showed the old policy name instead of the new policy name when a policy change was pending.
August 17, 2020 All DSER-25427 HTML SPAN tags were improperly displayed in the console dialogue box.
August 17, 2020 All DSER-8707 The portscan TTP was not available in Add Notification.
August 17, 2020 All DSER-25731 The Release Notes link was outdated.
August 17, 2020 All DSER-25371 Internal and external device IPs were not set correctly for enriched events.
August 17, 2020 All DSER-10380 Dashboard layout and feedback routes are fixed.
August 17, 2020 All DSER-25648 Changes made to Alert Type in the Notification Configuration page were not saved.
August 17, 2020 All DSER-25675 Alerts API generated a poorly formatted response.
August 17, 2020 All DSER-20311, DSER-25468 The Policy permission page let you click the Save button without clicking the Confirm button.
August 17, 2020 All DSER-25796 "An error occurred - please refresh the page" message displayed when accessing the Investigate tab.
August 17, 2020 All DSER-25124 Live Response file upload from sensor failed when the content was zero bytes.
August 17, 2020 All DSER-22828 Exporting data from the Endpoint Health widget now returns the Last Contact Time so that it is consistent with the export from the Endpoints page.
August 17, 2020 All DSER-19509 CBLR put command appeared to hang indefinitely if the target directory did not exist or if the file already existed.
August 17, 2020 All DSER-22632 A Live Response session could hang while uploading a file.
August 17, 2020 All DSER-24976 The Endpoint OS filter did not apply to exports.
August 17, 2020 All DSER-20901 Added an audit log entry for SAML login configuration change.
August 17, 2020 All DSER-23790 The Endpoints page incorrectly displayed an endpoint user-initiated sensor bypass as an Admin action.
August 17, 2020 Endpoint Standard DSER-21979 The console showed different target values for machines in the same policy.
August 17, 2020 All DSER-18900 The backend did not honor the sensor policy that was specified in cfg.ini.
August 17, 2020 All DSER-25432 Deleting a user in the console did not delete the Google Auth Token.
August 12, 2020 Enterprise EDR DSER-14758 Searching by device_internal_ip returned no results for Enterprise EDR-native events on the Investigate page.
August 12, 2020 Enterprise EDR DSER-22952 Searching on the events area of Process Analysis now has the same validation experience as the Events tab of the Investigate page.
August 3, 2020 All EA-14505, EA-13452, DSER-16563 Dashboard Export All feature sometimes timed out.
August 3, 2020 Endpoint Standard DSER-25480 The Test Rule query from the Policies page was passed to the Investigate page with double quotes, thereby resulting in zero results.
July 23, 2020 All DSER-25648, EA-16738 On the Notifications configuration page, some notification changes made to certain filters were not being saved.
July 23, 2020 All CWP-2422 The Endpoints page displayed under Inventory in the left navigation pane.
July 21, 2020 Enterprise EDR DSER-18853 Watchlist bulk report /ignore API errors appeared if too many reports were requested. This caused the Watchlists page to show cryptic errors on Watchlists with a large number of reports.
July 21, 2020 Enterprise EDR DSER-19364 Process tree API sometimes returned an empty reply, causing 502 errors. This also caused the Process Analysis page to report 502 errors.
July 21, 2020 Enterprise EDR DSER-24803 Process tree API returned 502 error for non-existent process_guid, rather than 404 error.
July 21, 2020 Enterprise EDR DSER-25099 Investigate queries with '=' character did not successfully search.
July 21, 2020 Enterprise EDR DSER-25146 /events/_search API with cb.fields parameter returned reputation data in non-reputation fields.
July 21, 2020 Enterprise EDR DSER-25158 The process_cmdline and parent_name fields did not return when requested using the cb.fields parameter on Process Search v2 API.
July 21, 2020 Enterprise EDR DSER-25223 Investigate page did not properly highlight multiple values for a single query term such as process_name:(A OR B OR C).
July 16, 2020 All DSER-23567 Subnet sensor group assignment failed when endpoint IP changed.
July 16, 2020 All DSER-11099 Alert comment was not saved when the comment contained 198 or more characters.
July 16, 2020 All DSER-24664 Dashboard exports had missing reports.
July 16, 2020 All DSER-24719 Reputation did not appear for events on the Investigate page.
July 16, 2020 Enterprise EDR DSER-25099 Fixed an issue where we weren’t URL-encoding queries when linking to Investigate.
July 16, 2020 Enterprise EDR DSER-25223 Field names were highlighted when they weren’t being used as field names.
July 16, 2020 All DSER-21621, EA-15928 Option to move Linux sensors into a sensor group was not successful.
July 16, 2020 All DSER-21622 A duplicate API key name error occurred on the API Access page, despite there being no duplicate API key name.
July 16, 2020 All DSER-24857 Alert triage links did not always open.
July 16, 2020 All DSER-24719 Process reputation did not always appear on the Investigate page.
July 16, 2020 All DSER-24146 Fixed time filters when filtering by time in alert searches via API.
July 16, 2020 All DSER-23123 Links in alert notifications for an org belonging to an MSSP will now bring the user to the relevant org, not the MSSP org.
July 16, 2020 All DSER-22649 Added severity as an option for all notification types.
July 16, 2020 All DSER-22217 Dashboard widgets alert counts are now consistent.
July 16, 2020 All DSER-21365 Dismiss alert comments were not getting added to Notes.
July 16, 2020 All DSER-20897 Query issue fixed for export of audit log and reputation.
July 16, 2020 All DSER-19125 Alerts with more than 198 characters can now be dismissed without error.
July 16, 2020 All DSER-17409 Alert count discrepancies between dashboard widget and alerts page are fixed.
July 16, 2020 All DSER-16912 Missing application name issue is resolved.
July 16, 2020 All DSER-23776 Sensor Upgrade Service allows multiple in-progress jobs.
July 16, 2020 All DSER-22490 Accordion on the Jobs page includes job details.
July 16, 2020 All DSER-21572 Allow bulk deletion of uninstalled endpoints from the Endpoints page.
July 16, 2020 All DSER-24129 Sensor was not being evicted from conferDeviceToOrgCache.
July 16, 2020 All DSER-24703 MSM did not report sensor group_set.last_process_time when an error occurred on processAll.
July 16, 2020 CB Defense DSER-19980 Could not re-add email address to the console users.
July 16, 2020 CB ThreatHunter DSER-16278 Watchlists page had no timeout on the hits queries.
July 16, 2020 CB ThreatHunter DSER-19041 HTTP 403 responses did not have a useful search bar message.
July 16, 2020 CB ThreatHunter DSER-19132 Report search feature of Watchlists page left table rows selected when submitting a new search.
July 16, 2020 CB ThreatHunter DSER-19364 Process tree API sometimes returned an empty reply, causing 502 errors.
July 16, 2020 CB ThreatHunter DSER-20386 /status and /results routes of the Search API disagreed on progress counts.
July 16, 2020 CB ThreatHunter DSER-20671 Process analysis tree did not indicate when it displayed partial results.
July 16, 2020 CB ThreatHunter DSER-20957 Fixed error notification on Enabled Watchlists page that occurred when a report had been deleted but its ID remained in the selected watchlist.
July 16, 2020 CB ThreatHunter DSER-22191 Search by Enterprise EDR watchlist Alert ID did not return any results.
July 16, 2020 CB ThreatHunter DSER-23960 The Process Analysis page did not always load, and returned a 502 or 504 error code.
July 16, 2020 CB ThreatHunter DSER-24738 The Process Analysis page requested multiple alert IDs from a single alert lookup API.
July 6, 2020 CB LiveOps EA-16055, DSER-24727 In cases where the initial set of active devices is low (for example, during off-hours), a query might have completed too early and eligible devices would not run the query. Previously, eligible devices whose last contact time was within the last 2 hours were examined. This window is extended to the last 7 days.
July 6, 2020 CB LiveOps EA-16525, DSER-24962 Timeout errors when attempting to export Live Query results from the console or API.
July 6, 2020 CB ThreatHunter DSER-18962 Could not add all reports to Watchlist when > 10,000 Reports.
July 6, 2020 CB ThreatHunter DSER-20957 Reports were missing in custom watchlists, with an error.
July 6, 2020 CB ThreatHunter DSER-22191 Search by Enterprise EDR watchlist Alert ID did not return results.
July 6, 2020 CB ThreatHunter DSER-22928 On the Investigate page, buttons next to each search result required two clicks to switch to the intended page.
July 6, 2020 CB ThreatHunter DSER-23249 Process Analysis did not show all childprocs in the tree diagram.
June 22, 2020 CB Defense DSER-24268 The number of times a hash has been seen in your org has returned to appropriate take action pop-ups with a more accurate description.
June 22, 2020 CB Defense DSER-24261 Refreshing the Alerts Triage page sometimes generated an error.
June 22, 2020 CB LiveOps DSER-24676 On the individual Query Results page > Results tab, the table columns overlapped if column names were long.
June 22, 2020 CB ThreatHunter DSER-24056 Clicking the event count link on the Applications tab under the Enriched Events tab on the Investigate page did not always reload the page correctly.
June 22, 2020 CB ThreatHunter DSER-24675 Executing multiple favorite searches in a row did not always work as expected.
June 11, 2020 All DSER-21975 The console failed to terminate a user’s session after being inactive for 60+ minutes. Users are now logged out after 60 minutes of inactivity.
May 26, 2020 CB LiveOps DSER-23553 The Live Query Results email was confusing and out of date with the content in the console.
May 26, 2020 CB LiveOps DSER-23408 Live Query CSV Export feature failed if all result fields for a given query did not have the same number of columns.
May 26, 2020 CB ThreatHunter DSER-23579 Search more accurately returns results that match the specified time window because it is now using the timestamp when the sensor observed the event.
May 20, 2020 CB LiveOps DSER-12847 Using the Duplicate feature on the individual Query Results page caused filters to disappear.
May 20, 2020 CB LiveOps DSER-17777 When the Show new results bar is clicked to refresh results, expanded facets aren't updated.
May 11, 2020 All DSER-23479 Linux sensors could not be uninstalled from the console.
May 11, 2020 CB LiveOps EA-14906, DSER-18241, DSER-23576 The Go Live button was occasionally missing from the Alert Triage page.
May 11, 2020 CB LiveOps DSER-23443 Stopped results count disappeared from the Query Results page.
May 11, 2020 CB LiveOps DSER-22975 The footer on the Query Results page table was not attached to the page and required you to scroll to access pagination.
May 11, 2020 CB LiveOps DSER-19327 One-Time and Scheduled tables displayed Showing 0-x of y in the footer, instead of starting the pagination with 1.
May 11, 2020 CB LiveOps EA-15080 Infrequent intermittent 404 errors occurred when running Live Response commands to retrieve data from an endpoint and when trying to run a vbscript.
May 11, 2020 CB LiveOps TR-4666 The case statement in the “Verify RDP Status” compliance query was backwards. The query should return “ENABLED” if RDP is Enabled, and “DISABLED” if RDP is Disabled.
May 11, 2020 CB LiveOps EA-16096, DSER-23206 Timeout errors occurred when attempting to download a large CSV of Live Query results from the console or API. CSVs that were downloaded often only contained a partial or incomplete result set.
May 11, 2020 CB ThreatHunter DSER-17465 Right pane on the Investigate page sometimes missed process command line data.
May 11, 2020 CB ThreatHunter DSER-23189 Calling the cancel search API endpoint returned an HTTP 404 response.
May 11, 2020 CB ThreatHunter DSER-23374 When a search field was preceded with a "-" character, the Investigate page did not suggest possible values for that field.
April 30, 2020 All DSER-20723, DSER-20725 Update Sensors window displays only the platforms that are applicable to the user’s endpoint selection.
April 27, 2020 CB ThreatHunter DSER-22687 Button from watchlist Alerts to Investigate page included redundant fields.
April 22, 2020 All DETECT-1521 R_DROPPED_PUP TTP with incorrect reason is fixed.
April 22, 2020 All DETECT-1544 Target app blacklist alert description was using the incorrect process name.
April 22, 2020 All DETECT-1524 Spearphishing MITRE TID TTP is more selective.
April 22, 2020 CB Defense DSER-22319 On the Investigate page, the Target Command Line is now included in free text search.
April 22, 2020 CB Defense DSER-22841 Users without certain permissions could not see a sensor’s policy name on the Endpoints page.
April 22, 2020 CB LiveOps DSER-17138 Notifications dropdown was missing from Audit- and Remediation-only organizations.
April 22, 2020 CB LiveOps DSER-23210 Individual query results page stretched horizontally with long SQL as the query name.
April 22, 2020 CB ThreatHunter DSER-23152 Watchlists page did not show the enabled watchlists after editing an enabled watchlist.
April 13, 2020 CB Defense DSER-22856 Options that are not available for Linux endpoints on Endpoint Standard are hidden from dropdown menus when a Linux endpoint is selected.
April 13, 2020 CB Defense DSER-22857 The Linux icon was missing from the Known malware category on the Policies page.
April 13, 2020 CB LiveOps DSER-23008 Re-running a query from the one-time table did not update the table to show the new run, and required a refresh of the whole page.
April 13, 2020 CB ThreatHunter DSER-22259
Deselecting filter values caused unselected categories to disappear on the Investigate page.
April 9, 2020 All DSER-16395 Checkboxes on the Endpoints page remained checked after the action was taken.
April 9, 2020 CB LiveOps DSER-22696 The Query Exchange link redirected to the old Query Hub on the User Exchange.
April 9, 2020 CB LiveOps DSER-22690 Attempting to run a query on an endpoint that had not checked in within two hours appeared to do nothing. An HTTP 400 error code “Incompatible Query” was issued.
April 9, 2020 CB ThreatHunter DSER-19026 The Process Analysis tree did not render when there were too many child processes.
April 9, 2020 CB ThreatHunter DSER-21829 Report was not created on PUT to /feedinfo if Feed had existing Reports.
April 9, 2020 CB ThreatHunter DSER-22612 The Investigate button on the Alerts page did not include the alert_id for the Alert that was being investigated.
April 9, 2020 CB ThreatHunter DSER-22676 Watchlists detections did not handle escaped ":" character in query IOCs.
April 1, 2020 All DSER-21496 Fixed misaligned tables when printing the User Guide.
April 1, 2020 All DSER-16164 Clicking on the link in an email brought you to the Investigate page with no results.
April 1, 2020 All DSER-20412 Removed hash count from associated Take Action actions on the Alert Triage page.
April 1, 2020 CB Defense N/A The alert description was missing contextual information.
April 1, 2020 CB Defense DSER-21898 Process name in TTP lists did not render properly in some scenarios.
April 1, 2020 CB Defense DSER-21982 TTPs did not always align properly in narrow browser windows.
April 1, 2020 CB LiveOps DSER-21909 Live Query Standalone only: Under Settings, you could navigate to the API Keys page and enable the LQ APIs.
April 1, 2020 CB ThreatHunter DSER-22114 Search bar colors for syntax highlighting on the Investigate page did not meet accessibility standards.
March 5, 2020 CB Defense EA-15848 An update to a detection involving rundll32.exe editing registry keys resulted in an unexpected false positive to true positive ratio. A fix was deployed to refine the detection; however, it took longer than expected for alerts to return to historical levels. Alerts have now returned to historical levels for false/true positives.
March 2, 2020 CB LiveOps DSER-21601 The Schedule button on the Live Query Schedule pane from Recommended Queries now has a loading state.
March 2, 2020 CB LiveOps DSER-13256 When trying to rerun a query that is targeted to run on a deregistered device, the Rerun button now returns an error.
March 2, 2020 CB ThreatHunter DSER-21338 Process Analysis tree did not display a red Denied shield icon on the parent node that attempted to run a blocked process.
February 18, 2020 CB ThreatHunter DSER-18129 The search_validation API endpoint returned a 200 HTTP response on internal server error.
February 18, 2020 CB ThreatHunter DSER-19463 ProcessCard on the Investigate right pane concatenated multiple policy actions into one word.
February 18, 2020 CB ThreatHunter DSER-20505 Editing a watchlist in the Watchlists pages removed Reports if there were more than 50 reports.
February 18, 2020 CB ThreatHunter DSER-21423 Fixed 502 Bad Gateway on the Investigate page when sorting on count fields with certain queries.
February 3, 2020 All DSER-19197 Users could not print more than one page in the User Guide when the guide was opened in full screen mode.
February 3, 2020 CB ThreatHunter DSER-19242 On the Process Analysis page, crossproc event text was not always accurate.
February 3, 2020 CB ThreatHunter DSER-21364 Watchlists now support CIDR notation in the netconn_ipv4 field for IOC_V2 of match_type = equality.
January 30, 2020 All DSER-16376 Could not add Linux Sensors into sensor management groups.
January 30, 2020 CB ThreatHunter DSER-19026 Process Analysis tree did not properly render with multiple child processes.
January 30, 2020 CB ThreatHunter DSER-20681 The primary process was changing to the selected node on the Process Analysis page.
January 30, 2020 CB ThreatHunter DSER-20868 The "execution of cmd from a non-standard path" Watchlist Report was missing a colon character in a term's value.
January 30, 2020 CB ThreatHunter DSER-20912 PID appeared in the Signature component of the Investigate and Process Analysis pages.
January 30, 2020 CB ThreatHunter DSER-21144 Some feeds showed on the Add Watchlists page for already-subscribed feeds.
January 21, 2020 CB Defense DSER-20521 Threat Reports widget investigated all available time frame.
January 21, 2020 CB Defense DSER-21142 Threat Reports widget was not available in EU and APJ.
January 21, 2020 CB Defense DSER-20445 The “Beta” label is removed from the Roles page. Roles is no longer in a state of Open Beta, and is fully functional and available for all customers.
January 21, 2020 CB LiveOps DSER-20654 Exporting a CSV of Live Query results produced an "Out of Memory" error, and the download failed when attempting to download a large amount of data.
January 21, 2020 CB ThreatHunter DSER-20220 Value search queries on Investigate or Process Analysis pages displayed an error when new fields were introduced.
January 21, 2020 CB ThreatHunter DSER-20180 Process Analysis page shows "+" icon on tree nodes that, when clicked, did not show any child nodes.
January 9, 2019 CB ThreatHunter DSER-20679 On the Investigate page, long-running facet population queries resulted in an inability to see search results.
December 9, 2019 CB ThreatHunter DSER-20085 On the Endpoints page, the sig pack update status column is redundant for CB ThreatHunter stand-alone customers.
December 9, 2019 CB ThreatHunter DSER-19972 On the Process Analysis page, while the Events table was being updated with additional data, user-expanded event details were closed within 2 seconds.
December 4, 2019 All DSER-20251 Usability improvements to the Threat Reports widget.
December 4, 2019 All EA-12527,
DSER-16103
The incorrect IP was being shown in the Audit log.
December 4, 2019 CB Defense DSER-20153 Clearing the filters on the left panel for alerts also cleared the search criteria.
December 4, 2019 CB Defense DSER-15937 Application name was not shown in the policy impact panel in some cases.
December 4, 2019 CB LiveOps EA-15013, DSER-18897 Searching for a complete device name using the endpoint selector on the New Query page was not working correctly when the device had a backslash or hyphen in the name.
December 4, 2019 CB LiveOps EA-15013,
DSER-18895
On an individual query result page, navigating from the Devices tab to the Results tabs via the Results Matches table link returned no results.
December 4, 2019 CB LiveOps DSER-19889 Clicking Result count on the Devices tab returned an error message.
December 4, 2019 CB ThreatHunter DSER-13274 The Clear button on the Process Analysis page changed case on the Firefox browser when a filter was applied.
December 4, 2019 CB ThreatHunter DSER-11751 Long process names caused the selected node panel to have a horizontal scroll bar.
December 4, 2019 CB ThreatHunter EA-13266 Dismissed watchlist alerts re-appeared.
November 25, 2019 CB Defense DSER-19496 Include Dismissed Alerts and Group Alert filters were not accounted for in the Dashboard CSV export.
November 25, 2019 CB Defense DSER-19878 400 errors appear on the Network tab on the Alerts page.
November 25, 2019 CB Defense DSER-19959 After drilling down on an alert on the Investigate page, changing alerts sometimes showed the wrong alert on the Alert Triage page.
November 25, 2019 CB Defense DSER-20058 Counts in the filter panel and header on the Alerts page did not update after alerts were dismissed.
November 25, 2019 CB Defense DSER-20242 Filtering by a custom time window twice caused filters to not update as expected.
November 25, 2019 CB LiveOps DSER-19966 Endpoint query selection is persistent between new queries even after navigating away from the page. This affected both the Recommended and the SQL Query tabs.
November 25, 2019 CB LiveOps DSER-19889 Clicking the Result count from the Devices tab resulted in an error toast message for devices that had “\u” in the name.
November 25, 2019 CB LiveOps DSER-19763 Rare edge case where individual query results page crashed when loading Query Details.
November 25, 2019 CB ThreatHunter DSER-20114 The search value for process_cmdline searches can now include the "&" character.
November 11, 2019 All DSER-19853 Selecting a device name from the Investigate page or Endpoints page did not filter the results, or only filtered results temporarily. A related KB article describes the issue, cause and resolution.
November 11, 2019 All DSER-19774 Clicking the Help icon on the Investigate page caused the page to stop working and required a reload.
November 11, 2019 CB Defense DSER-19660 Dashboard counts update as expected when alerts are dismissed.
November 11, 2019 CB Defense DSER-19820 Simultaneously dismissing multiple alerts now works as expected.
November 11, 2019 CB Defense DSER-19635 The Delete Application button is restored to the Investigate page.
November 11, 2019 CB Defense DSER-19641 Notes for grouped alerts now only show on the grouped alert.
November 11, 2019 CB LiveOps DSER-19720 Fixed a number of minor user interface issues and inconsistencies on the individual Query Results page.
November 11, 2019 CB LiveOps DSER-17956 Opening the User Guide on various CB Live Response and Live Query pages redirected to the User Guide Table of Contents instead of to the relevant User Guide page.
November 11, 2019 CB LiveOps DSER-18971 Running a command with long outputs caused the Live Response console window to overlap with other elements on the page, and display other scrolling behavior oddities. This only affected the most recent versions of Chrome.
November 11, 2019 CB LiveOps EA-14547, DSER-19612 The Go Live button was sometimes disabled when logging into the console from some devices. The Go Live button is no longer disabled if a page is left idle for more than ten minutes.
November 11, 2019 CB ThreatHunter DSER-19158 Translate API added escape characters to pre-escaped backslash and wildcard characters.
November 11, 2019 CB ThreatHunter DSER-19368 When clicking links to the Investigate page under certain circumstances, you were directed to /cb/investigate/events instead of /cb/investigate/processes.
October 28, 2019 CB ThreatHunter DSER-17129 Filemods on the Process Analysis page do not display hash of file. 
October 23, 2019 CB ThreatHunter DSER-18170 On the Process Analysis page, netconn events are reporting "Connection Direction: Outbound" for both inbound and outbound netconns.
October 23, 2019 CB ThreatHunter DSER-19158 In the Convert Legacy Query API endpoint, any value for the field that converts to process_cmdline which includes backslashes to escape are incorrectly escaped again.
October 23, 2019 CB ThreatHunter DSER-18966 The Process Analysis table now default sorts in ascending order.
October 23, 2019 CB Defense EA-14551
DSER-19108
Binary details were missing from the Alerts Triage side panel in some instances.
October 23, 2019 CB Defense DSER-16406 Process count in the Rule Preview on the Policies page is different from the Investigate results count.
October 23, 2019 CB Defense DSER-19392 TTPs now display in the Enriched Events side panel on the Investigate page.
October 23, 2019 CB Defense DSER-12250 The notifications indicator makes it clear which notifications are read or unread.
October 23, 2019 CB Defense DSER-18844 On the Endpoints page, clearing search now fully clears all parameters.
October 23, 2019 All DSER-17187 Add to Blacklist and Add to Whitelist modals now show consistent data in all pages.
October 14, 2019 CB ThreatHunter DSER-11445 Hovering the mouse on a Investigate search filter hides the percentage values.
October 14, 2019 CB ThreatHunter DSER-16083 When editing a watchlist name or description on the Watchlists page, if the backspace key is used to delete the entire entry, the entry is rewritten to the original value. This happens if the input is highlighted and deleted or if the backspace key is held.
October 14, 2019 CB ThreatHunter DSER-17544 On the Investigate page, a parent process in the right panel sometimes randomly shows counts.
October 14, 2019 CB ThreatHunter DSER-18863 The UI does not always respect API validation success.
October 7, 2019 CB LiveOps DSER-18859, EA-15013 On the Results tab of the Results page, searching for an endpoint with a \ in the name returned no results.
September 30, 2019 CB LiveOps DSER-18858 Intermittent issues where Go Live was disabled on the Endpoints page for some console users but not others, independent of the Internet browser.
September 30, 2019 CB LiveOps DSER-18259 Devices tab on the Results page produced an error when navigating to a stopped query.
September 30, 2019 CB ThreatHunter DSER-17944 Clear search button cleared just the search bar and not selected filters on the Investigate page.
September 30, 2019 CB ThreatHunter DSER-17417 If HTML special characters (&, =, etc.) were used in a query, clicking the Investigate icon from the IOC page truncated the query.
September 30, 2019 CB ThreatHunter DSER-16760 Hits popover in Investigate page displayed invalid date and no metadata.
September 18, 2019 All DSER-16531 In rare instances, the sensor did not receive the latest policy information from the backend.
September 18, 2019 CB Defense DSER-15901 An internal server error was returned when adding a Connector with a special character, or when the first word matched an existing Connector.
September 18, 2019 CB ThreatHunter DSER-13271 No field descriptions/examples existed in many suggestions for search fields on the Process Analysis page.
September 18, 2019 CB ThreatHunter DSER-15532 Searching on the Process Analysis page with a negated field yielded no results.
September 18, 2019 CB ThreatHunter DSER-16190 The device_policy field was not always populated in API data or investigate filters.
September 18, 2019 CB ThreatHunter DSER-17643 When clicking into the Investigate search field, the user had to click in the vertical center to get focus.
September 18, 2019 CB ThreatHunter DSER-17341 Investigate search bar was not correctly color-coding certain fields.
August 30, 2019 CB ThreatHunter DSER-17542 Paths with leading / or \ in facets work when selected.
August 5, 2019 CB LiveOps DSER-13859 Filters on the Results page sporadically disappeared when selecting a device filter that resulted in non-matching or error devices.
August 5, 2019 CB ThreatHunter DSER-14758 Searching by device_internal_ip returned no results for CB ThreatHunter-native events on the Investigate page.
August 5, 2019 CB ThreatHunter DSER-15767

When the PSC had no recent data for your organization, the Enabled Watchlistspage displayed an unhelpful error. The error now reads "No hits available for past 3 days".

August 5, 2019 CB ThreatHunter DSER-16153

Improved the accuracy of the Process Start Time that the Process Analysis page reports.

August 5, 2019 CB ThreatHunter DSER-16482

Add Query to Watchlist gave an error when certain characters existed in search field values.

August 5, 2019 CB ThreatHunter DSER-17060

Event counts on the Processes right pane shows as "---", not "0", for the enriched data stream.

August 5, 2019 CB ThreatHunter DSER-17451 In some situations, the bottom pagination bar on the Process Analysis page did not load.

 

 

Release Date Product Issue ID Description
December 17, 2021 All

CWP-10433

Export for large data sets under Vulnerabilities (where the exported file size > 5 GB) times out. Workaround is to export a reduced number of records by applying filters to the affected table.
December 1, 2021 All

CBC-8443

Actions taken by VMware users are not visible in customer’s audit logs.  
Work around: Logs are available upon request with a support ticket.  
November 8, 2021 All

DSER-36314

Data Forwarder filtering throws an error for the process_path field when the : character is not escaped, but not if \ or / characters are not escaped.
October 27, 2021 All

DSER-36023

Linux VDI parent/child hierarchy may be reported incorrectly in environments where an appliance is installed. There is no known workaround for this issue, but it will be resolved in a future sensor release.
October 27, 2021 Container Essentials

KRS-606

Network map shows no activity on GKE v2 dataplane cluster.
July 16, 2021 All

DSER-33425

Audit Log export to CSV is timing out after 60 seconds without any error or message in the user interface to notify the user.
June 25, 2021 All

DSER-32435

Sensor groups configured to include devices based on minor OS names can include devices that match the major OS name. For example, a group configured to include Windows 7 x64 devices can include other Windows 7 devices. This issue affects Windows, macOS, and Linux devices.
May 27, 2021 All

DSER-32293

When viewing the Investigate page, the Effective Reputation displays two dashes ("--") instead of a valid reputation.
May 27, 2021 All

DSER-32012

The Sensor group “Processing” message can continue to display if the job has not completed successfully.
April 29, 2021 Container Essentials

CBC-6468

On the container image vulnerabilities page, the numbers for images and vulnerabilities under the All filter do not reflect the status of the Running in Kubernetes filter in the table.
April 29, 2021 Container Essentials

CBC-6540

On the Kubernetes images page, the number of workloads displayed can occasionally fall out of sync with the most recent value. The corresponding Workloads window displays up-to-date information.
April 29, 2021 Container Essentials

CBC-6388

In the exceptions tab on a CVE’s modal window, there is a slight delay between when an exception is deleted and when the exceptions table reflects the updated status. As a result, the table can show stale or invalid exception data for up to a second after the deletion. Refreshing the table resolves this issue.
April 29, 2021 Container Essentials

N/A

All search boxes for container image search tables support regular expression queries; searching for literal strings containing regular expression modifiers may yield unexpected search results. Characters such as “+” and “*” must be prefixed with a “\” (the regular expression escape character) to search for those actual characters.
April 26, 2021 All

DSER-31444

The Uninstall Sensor action does not apply to all sensors matching the current search on the Endpoints page.
March 18, 2021 Endpoint Standard

DSER-30385

When viewing the Alerts page, the user value can show the user that installed the sensor instead of the user logged in at the time of the Alert. When viewing the Alert on the Investigate page, the user logged in at the time of the alert displays correctly.
December 22, 2020 Container Essentials

GRC-328

Searching Kubernetes resources using a MAPL rule with no conditions returns no results.
December 22, 2020 Container Essentials

GRC-320

When updating a template, rules search fields are disabled and rules cannot be searched.
December 22, 2020 Container Essentials

GRC-345

Some violations appear under the unknown resource group.
December 16, 2020 All

DSER-28814

The process tree on the Alerts Triage page might include blank entries.
November 11, 2020 All

DSER-27969

The Process Analysis graph might display a process as both parent and child of the same process.
August 31, 2020 Enterprise EDR

TPLAT-9183

Signature status is UNKNOWN for valid signatures.
August 21, 2020 Enterprise EDR

DSER-26035

The /tree Search API endpoint returns "resource does not exist" for known process_guid.
August 21, 2020 Enterprise EDR

DSER-26185

When using arrow keys to select a suggested query term or value, the search bar on some pages replaced the existing search bar contents instead of inserting.
August 17, 2020 All

DSER-25397

Watchlist report does not port to the Investigate query page.
August 17, 2020 Enterprise EDR

DSER-25929

Link from Watchlist Alert to Investigate does not show all relevant metadata.
August 17, 2020 Enterprise EDR

DSER-25981

Search API facet requests do not process range parameters.
August 3, 2020 All

DSER-23471

Exporting individual widgets sometimes times out in dashboard Export.
August 3, 2020 Enterprise EDR

DSER-25536

The Process Analysis button on the Investigate page does not work when Investigate is opened from the Watchlists page.
July 16, 2020 All

DSER-25329

Facet searches can report as completed before the search completes.
July 16, 2020 All

DSER-25244

Watchlist deletion is not tracked in the audit log.
July 16, 2020 All

DSER-25244

If an org removes Enterprise EDR, Watchlist alerts can still occur.
July 16, 2020 All

DSER-24196

API search might return different results based on field filtering order.
April 22, 2020 CB ThreatHunter

DSER-22243

Process Analysis page shows Parent PID in all childproc event results.
April 22, 2020 CB ThreatHunter

DSER-22683

When you delete a watchlist from the Watchlists page, the progress bar persists.
April 1, 2020 CB LiveOps

DSER-22116

Oddities display in line numbers above 99 on the SQL Query tab.
February 18, 2020 CB ThreatHunter

DSER-17540

The time range on the Reputation page search shows only reputations from the last 2 weeks by default.
February 18, 2020 CB ThreatHunter

DSER-21594

Feed Manager does not check for the existence of a report before attempting to add it to a custom Watchlist.
January 6, 2019 CB ThreatHunter

DSER-20504

Reports result in 500s if new report's ID collides with an old one.
December 9, 2019 CB ThreatHunter

DSER-20288

The lower half of IPv6 addresses display as zeroes on the Process Analysis page.
December 9, 2019 CB ThreatHunter

DSER-20310

DENY value is not being suggested for the sensor_action field on the Investigate page.
October 14, 2019 CB ThreatHunter

DSER-19092

The Include historical data checkbox in Watchlists settings does not stay checked. 
September 18, 2019 CB ThreatHunter DSER-18136 Search validation never responds for extremely long searches on Investigate, Process Analysis.
August 5, 2019 CB ThreatHunter DSER-11959 When user types - or + and then accepts a suggested search field name, the + or - character is removed from the search bar on the Investigate page.
August 5, 2019 CB ThreatHunter DSER-12538 Binary Details page terminates when UBS APIs return unexpected output.
August 5, 2019 CB ThreatHunter DSER-14148 When the Investigate search bar overflows to multiple lines, you cannot use keyboard navigation or selection.
August 5, 2019 CB ThreatHunter DSER-15187 process_publisher searches on the Investigate page lead to signed and unsigned binaries.
August 5, 2019 CB ThreatHunter DSER-15385 Result count drops and rises when changing filters or terms on Investigate search.