Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

CB Response 6.4 User Guide

CB Response 6.4 User Guide

Note: This document applies to  CB Response Server versions 6.4.0 and 6.4.1.

The CB Response  User Guide is written for both the cloud and on-premises editions of CB Response. It provides information for administrators and for members of Security Operations Center (SOC) and Incident Response (IR) teams who are responsible for setting up and maintaining security for endpoints and networks, as well as assessing potential vulnerabilities and detecting advanced threats. This document includes information about the following topics:

  • Console user accounts and using the console
  • Sensors and sensor groups
  • Server certificate management
  • Incident response
  • Process and binary search and analysis
  • Threat intelligence feeds
  • Investigations
  • Watchlists and alerts

See the Comments section for a brief summary of changes to this document since the previous edition.


Change log for the June 2019 CB Response 6.4.0 User Guide (changes since the most recent 6.3.x User Guide):

  1. In the “Installing Sensors” chapter, proxy support instructions were added to the “Installing Sensor on Windows” section.
  2. A new chapter, “Managing Certificates for Server-Sensor Communication”, has been added to describe the new TLS certificate management features in this release.
  3. In the “Process Search and Analysis” chapter, new information has been added describing changes that improve the search experience by not loading large amounts of data before a search is fully constructed. In this release filters do not populate until a query is run, and changes in the search timeframe do not initiate a new search until you click the Search button.
  4. In the “Threat Intelligence Feeds” chapter, the description of Queries in the Indicators section of the Search Threat Reports page has been corrected. Contrary to previous information that said this is always ‘1’, this can be zero because some threat reports are not based on queries.
  5. Also in the “Threat Intelligence Feeds” chapter, the description and screenshot of the Search Threat Reports page were updated to reflect new table sorting options and improvements in the labeling of time-related fields.
  6. In the “Watchlists” chapter, an additional caution was added discouraging use of leading wildcards in watchlist queries and pointing out that the same best practices for queries in general also apply to watchlists.
  7. In the “Using the Head-Up Display Page” chapter, information has been added describing the new Query Duration widget,  which reports on the slowest recent queries.
  8. The “Sensor Parity” chapter has been significantly updated to be more accurate and complete in its description of feature support in different endpoint operating systems.
  9. Other minor corrections and improvements were made.

GREAT work team!!! It looks like you've been busy. To all concerned- it looks like this particular guide is better written and with much greater detail than those previous. Cheers!!

@kehayes Thanks very much for your comment! We're certainly trying to improve overall quality (not as quickly as we'd like) as well as keeping up with the product changes.

We need more information on the password management eg:

- password complexity eg: enforce certain numbers of alpha numeric, password encrypted in storage.

- Force change of password on first login.

- Deny repeat usage of the same password for x number of cycles.

Any information on password complexity would be much appreciated. Thanks

highly agree with @kslee Customers would greatly appreciate this!

+ option to enforce MFA

Article Information
Creation Date: