Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Cb Response 6.2.3 User Guide [Japanese]

Cb Response 6.2.3 User Guide [Japanese]

The Cb Response 6.2.3 User Guide is written for both the cloud and on-premises editions of Cb Response. It provides information for administrators and for members of Security Operations Center (SOC) and Incident Response (IR) teams who are responsible for setting up and maintaining security for endpoints and networks, as well as assessing potential vulnerabilities and detecting advanced threats. This document includes information about the following topics:

  • Console user accounts and using the console
  • Sensors and sensor groups
  • Incident response
  • Process and binary search and analysis
  • Threat intelligence feeds
  • Investigations
  • Watchlists and alerts

 See the Comments section below for a brief summary of changes to this document since the previous Japanese version (6.2.0).

Note: Although this is the most recent Japanese translation of the user guide, their may be later English versions on the User eXchange.

Labels (2)
Attachments
0 Kudos
Comments

Changes to the Cb Response User Guide between version 6.2.0 and 6.2.3

 Change log for the August 2018 Cb Response 6.2.3 User Guide:

  1. In the “Advanced Search Queries” chapter, updated the "Searching with Multiple (Bulk) Criteria" section. Previous versions had an incorrect syntax description for how to enter bulk search terms, and insufficient detail about where to put the terms in the user interface. The new version corrects these problems.
  2. Modified the "List of Tasks" section to appear in alphabetical rather than page order.
  3. In the “Advanced Search Queries” chapter, added information about the presence of the suppressed child process cmdlines in the cmdline document for the parent, which result in query hits for the parent process.
  4. In the “Responding to Endpoint Incidents” chapter, corrected the description of the control for enabling and disabling hash bans on the Manage Banned Hashes page. It is a checkbox, not a slider switch in current versions of Cb Response.
  5. In the “Advanced Search Queries” chapter, added a missing space in the example of “Legacy cmdline tokenization (default)”. Without the space, the example failed.
  6. In the “Managing Sensors” chapter, added instructions for disabling DNS lookup related to Cb Response events for Windows systems with a high number of network connections, which reduces the impact of these events.
  7. In the “Sensor Groups” chapter, documented the optional Exclusions panel, which can be used on OS X systems to exclude collection of certain event data at specified paths.
  8. In the “Responding to Endpoint Incidents" chapter, noted that the live response audit log now includes hostname information. Also corrected the log name (live-response.log) here and elsewhere in the guide.
  9. In the “Process Search and Analysis” chapter, added a new “Managing High-Impact Queries” section describing new features to block certain queries that can have significant performance impact.
  10.  In the “Watchlists” chapter, significantly updated the chapter to include more information about watchlist expiration, performance and status. This includes new status information and list sorting capabilities introduced in v6.2.3.
  11. Other minor corrections and improvements were also made.

Change log for the Cb Response 6.2.2 User Guide:

  1. Added a "List of Tasks" section.
  2. Added documentation for on-demand macOS/OS X sensor diagnostics. See the "Troubleshooting Sensors" chapter.
  3. Added two missing options (processopentarget and remotethreadtarget) in the cossproc_type field description. See the "Advanced Search Queries" chapter.
  4. Added a brief description of new capabilities to send SHA256 hashes to the Cb Response event forwarder. See the "Sensor Parity" chapter.
  5. Other minor corrections and improvements were also made.

Change log for the May 2018 Cb Response 6.2.1 User Guide:

  1. In the "About this Guide" section, replaced a reference to a deprecated Cb Response Connectors Guide with links to developer.carbonblack.com.
  2. Added two missing options (processopentarget and remotethreadtarget) in the crossproc_type field description. See the "Advanced Search Queries" chapter.
  3. Corrected several broken cross-references in the "Getting Started" chapter.
  4. Other minor corrections and improvements were also made.

Changes to the Cb Response User Guide between version 6.2.0 and 6.2.3

 Change log for the August 2018 Cb Response 6.2.3 User Guide:

  1. In the “Advanced Search Queries” chapter, updated the "Searching with Multiple (Bulk) Criteria" section. Previous versions had an incorrect syntax description for how to enter bulk search terms, and insufficient detail about where to put the terms in the user interface. The new version corrects these problems.
  2. Modified the "List of Tasks" section to appear in alphabetical rather than page order.
  3. In the “Advanced Search Queries” chapter, added information about the presence of the suppressed child process cmdlines in the cmdline document for the parent, which result in query hits for the parent process.
  4. In the “Responding to Endpoint Incidents” chapter, corrected the description of the control for enabling and disabling hash bans on the Manage Banned Hashes page. It is a checkbox, not a slider switch in current versions of Cb Response.
  5. In the “Advanced Search Queries” chapter, added a missing space in the example of “Legacy cmdline tokenization (default)”. Without the space, the example failed.
  6. In the “Managing Sensors” chapter, added instructions for disabling DNS lookup related to Cb Response events for Windows systems with a high number of network connections, which reduces the impact of these events.
  7. In the “Sensor Groups” chapter, documented the optional Exclusions panel, which can be used on OS X systems to exclude collection of certain event data at specified paths.
  8. In the “Responding to Endpoint Incidents" chapter, noted that the live response audit log now includes hostname information. Also corrected the log name (live-response.log) here and elsewhere in the guide.
  9. In the “Process Search and Analysis” chapter, added a new “Managing High-Impact Queries” section describing new features to block certain queries that can have significant performance impact.
  10.  In the “Watchlists” chapter, significantly updated the chapter to include more information about watchlist expiration, performance and status. This includes new status information and list sorting capabilities introduced in v6.2.3.
  11. Other minor corrections and improvements were also made.

Change log for the Cb Response 6.2.2 User Guide:

  1. Added a "List of Tasks" section.
  2. Added documentation for on-demand macOS/OS X sensor diagnostics. See the "Troubleshooting Sensors" chapter.
  3. Added two missing options (processopentarget and remotethreadtarget) in the cossproc_type field description. See the "Advanced Search Queries" chapter.
  4. Added a brief description of new capabilities to send SHA256 hashes to the Cb Response event forwarder. See the "Sensor Parity" chapter.
  5. Other minor corrections and improvements were also made.

Change log for the May 2018 Cb Response 6.2.1 User Guide:

  1. In the "About this Guide" section, replaced a reference to a deprecated Cb Response Connectors Guide with links to developer.carbonblack.com.
  2. Added two missing options (processopentarget and remotethreadtarget) in the crossproc_type field description. See the "Advanced Search Queries" chapter.
  3. Corrected several broken cross-references in the "Getting Started" chapter.
  4. Other minor corrections and improvements were also made.
Article Information
Author:
Creation Date:
‎12-19-2018
Views:
1802