Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

CB Response 6.3.0 User Guide

CB Response 6.3.0 User Guide

Note:  This document applies to Cb Response versions 6.3.0 and 6.3.1.

The CB Response 6.3.0 User Guide is written for both the cloud and on-premises editions of CB Response. It provides information for administrators and for members of Security Operations Center (SOC) and Incident Response (IR) teams who are responsible for setting up and maintaining security for endpoints and networks, as well as assessing potential vulnerabilities and detecting advanced threats. This document includes information about the following topics:
• Console user accounts and using the console
• Sensors and sensor groups
• Incident response
• Process and binary search and analysis
• Threat intelligence feeds
• Investigations
• Watchlists and alerts

See the Comments section for a brief summary of changes to this document since release 6.2.4.

Labels (2)

Additional changes for the April 2019 CB  Response 6.3.0 User Guide:

  1. In the "Using Live Response" section of the "Responding to Endpoint Incidents" chapter,  clarified that the console user interface for enabling and disabling Live Response is activated by default in new installations of version 6.3.0. To  remove the ability to change this through the console (and fix Live Response as either enabled or disabled), you must explicitly set CBLREnabled to either True or False in the cb.conf file.

Change log for the March 2019 CB Response 6.3.0 User Guide (changes since the most recent 6.2.4 User Guide):

  1. In the “Getting Started” chapter, two new Advanced Settings on the Settings page are documented:
    - The EU Data Sharing Banner setting allows administrators to add or remove a red banner at the top of all console pages indicating that users should be cautious about data sharing. This setting can also be overriden in cb.conf.
    - The CB Live Response setting allows administrators to enable and disable Live Response for all users. This setting can also be overriden in cb.conf.
  2. Also in the “Getting Started” chapter, descriptions of the Settings, Shared Settings, and Notifications menus have been added.
  3. The chapters "Managing User Accounts for On-Premise Servers" and "Managing User Accounts for Cloud Servers" have been significantly modified for this release. They have been updated to describe additional changes to the user and team privileges needed to access CB Response features.  In addition to these chapters, multiple locations in the user guide have been updated to indicate where the new permissions features affect a user’s access to particular features.
  4. Multiple locations throughout the user guide have been updated to reflect that the server now displays and allows searches for SHA-256 hash data provided by sensors. Check the User eXchange or Carbon Black Support for information about sensors capable of generating SHA-256 hashes.
  5. In the “Binary Search and Analysis” chapter, an obsolete description of how to access the Binary Preview page was updated -- it  is now accessed by clicking on an icon to the left of results in a table.
  6. In the “Advanced Search Queries” chapter, the description of tokenization in cmdline queries was updated to indicate that the previously optional enhanced tokenization method is now the standard in 6.3.0.
  7. Appendix B, “Sensor Health Score Messages,” has been added to describe health score messages that display on the Sensor Details page.
  8. Other minor corrections and improvements were made throughout.
Article Information
Creation Date: