IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

CB Response 7.0 User Guide

CB Response 7.0 User Guide

Important: This documentation is being posted before general availability of this release. Please monitor the User Exchange for the release notice.

The CB Response User Guide is written for both the cloud and on-premises editions of CB Response. It provides information for administrators and for members of Security Operations Center (SOC) and Incident Response (IR) teams who are responsible for setting up and maintaining security for endpoints and networks, as well as assessing potential vulnerabilities and detecting advanced threats. This document includes information about the following topics:

  • Console user accounts and using the console
  • Sensors and sensor groups
  • Server certificate management
  • Incident response
  • Process and binary search and analysis
  • Threat intelligence feeds
  • Investigations
  • Watchlists and alerts

See the Comments section for a brief summary of changes to this document since the previous edition.

Labels (2)

Change log for CB Response 7.0 User Guide (changes since the most recent 6.5 version)


  1.  In the "Process Search and Analysis" chapter, the entry for "crossproc" in the table of Process Event Types was updated to include PROCESS_CREATE_PROCESS in the list of OpenProcess API calls recorded by CB Response.
  2. In the "Responding to Endpoint Incidents" chapter, the "Isolation Exclusions" section has been updated to indicate that network isolation exceptions are supported on the latest macOS sensors. The "Sensor Parity" chapter has also been updated to reflect this change.
  3. In the "Responding to Endpoint Incidents" chapter, the "Live Response Endpoint Sessions" section has been updated to indicate that memory dumps created by the memdump command are now compressed by default.
  4. In the Responding to Endpoint Incidents" chapter, the "Using Live Response" section includes documentation for new features that indicate progress of file transfers.
  5. In the "Managing Certificates for Server-Sensor Communication" chapter, information has been added to the "TLS Server Certificate Management Overview" section indicating that for certificate swapping to be successful, the sensor must be able to update the system hosts file.
  6. In the "Responding to Endpoint Incidents" chapter, a new "Tuning CbLR Network Usage" section describes configuration options to improve Live Response performance in lower bandwidth situations.
  7. In the “Sensor Parity” chapter, a footnote was added to indicate that although network isolation and hash banning on the Linux sensor, they are *not* supported at this time on eBPF-based sensors (RHEL/CentOS 8.0 and SUSE 12&15).
  8. In the "Troubleshooting Sensors" chapter, several updates were made to the Linux sensor troubleshooting instructions to correct file locations and debug options that were incorrect in previous editions of the guide.
  9. In the "Managing Sensors" chapter, the "Viewing Sensor Details" section has been updated to reflect changes to the user interface on the Sensor Details page. Changes in other sections of the guide were also made due to these changes.
Article Information
Creation Date: