Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Cb Response 6.2.3 User Guide

Cb Response 6.2.3 User Guide

The Cb Response 6.2.3 User Guide is written for both the cloud and on-premises editions of Cb Response. It provides information for administrators and for members of Security Operations Center (SOC) and Incident Response (IR) teams who are responsible for setting up and maintaining security for endpoints and networks, as well as assessing potential vulnerabilities and detecting advanced threats. This document includes information about the following topics:

  • Console user accounts and using the console
  • Sensors and sensor groups
  • Incident response
  • Process and binary search and analysis
  • Threat intelligence feeds
  • Investigations
  • Watchlists and alerts


See the Comments section below for a brief summary of changes to this document since release 6.2.2.


Labels (2)

Change log for the August 2018 Cb Response 6.2.3 User Guide (updated version, August 7, 3:30PM EDT):

  1. In the “Advanced Search Queries” chapter, updated the "Searching with Multiple (Bulk) Criteria" section. Previous versions had an incorrect syntax description for how to enter bulk search terms, and insufficient detail about where to put the terms in the user interface. The new version corrects these problems.

Change log for the August 2018 Cb Response 6.2.3 User Guide (initial version, August 3):

  1. Modified the "List of Tasks" section to appear in alphabetical rather than page order.
  2. In the “Advanced Search Queries” chapter, added information about the presence of the suppressed child process cmdlines in the cmdline document for the parent, which result in query hits for the parent process.
  3. In the “Responding to Endpoint Incidents” chapter, corrected the description of the control for enabling and disabling hash bans on the Manage Banned Hashes page. It is a checkbox, not a slider switch in current versions of Cb Response.
  4. In the “Advanced Search Queries” chapter, added a missing space in the example of “Legacy cmdline tokenization (default)”. Without the space, the example failed.
  5. In the “Managing Sensors” chapter, added instructions for disabling DNS lookup related to Cb Response events for Windows systems with a high number of network connections, which reduces the impact of these events.
  6. In the “Sensor Groups” chapter, documented the optional Exclusions panel, which can be used on OS X systems to exclude collection of certain event data at specified paths.
  7. In the “Responding to Endpoint Incidents" chapter, noted that the live response audit log now includes hostname information. Also corrected the log name (live-response.log) here and elsewhere in the guide.
  8. In the “Process Search and Analysis” chapter, added a new “Managing High-Impact Queries” section describing new features to block certain queries that can have significant performance impact.
  9. In the “Watchlists” chapter, significantly updated the chapter to include more information about watchlist expiration, performance and status. This includes new status information and list sorting capabilities introduced in v6.2.3.
  10. Other minor corrections and improvements were also made.

Does this version supports RHEL 7.7? There are quite a number of important updates in the RHEL version. Are we expecting the support soon?

Article Information
Creation Date: