Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

PSC Release Notes August 2019

PSC Release Notes August 2019

This August 2019 release notes article contains information about the following releases:

 

August 30, 2019 release


CB LiveOps

Query History Table and Status Bar improvements

To make Live Query results easier to interpret, we consolidated the Query History Table. Based on user feedback, we removed the Matches and Last Result columns, rearranged the remaining columns, and added three new device-centric columns:

  • Responded: These devices have run the query and returned results back to the cloud by successfully matching the query (one or more results returned), not matching the query (zero results returned), or returning with an error.
  • In Progress: These devices have received the query and are in the process of running it and uploading results. 
  • Response Pending: These devices have not yet received the query. This can include devices that are offline or that have not checked in since the query was started.

We removed the Timed out query status because it caused confusion. A query can now be completed if all devices have responded or if seven days have elapsed.LQ query history table dj.png

 

We changed the progress bar on the individual query results page. The progress bar shows the same information that is available on the Query History table, with the addition of a device count. It will dynamically update as devices respond.

LQ Progress bar dj.png

 


CB ThreatHunter

Favorite search improvements

When a Favorite Search is selected on the Investigate page, it will replace the existing search bar contents rather than append the Favorite Search to existing text. This change was made based on customer feedback.

Improved search field: enriched

We renamed the legacy search field to enriched in Investigate and Process Analysis search interfaces to more accurately reflect the returned results.

  • When searching in Investigate for analytics-enriched results, search supports enriched:true as the best way to find those events and processes.
  • All future Watchlist IOCs should migrate to using enriched:true and remove legacy:true.
  • The search interface and all Watchlist IOCs support both enriched and legacy search fields for at least six months, after which time the support for legacy will be removed.

Fixed in this release

Issue ID

Description

DSER-17542

Paths with leading / or \ in facets work when selected.

 

Known issues

Issue ID

Description

TPLAT-7568

The Signatures section of Binary Details page shows unknowns due to signature API endpoint that is responding with a 404 error for binaries that have 1+ digital signatures.

DSER-11445

Hovering the mouse on a Investigate search filter hides the percentage values.

DSER-11959

When user types - or + and then accepts a suggested search field name, the + or - character is removed from the search bar on the Investigate page.

DSER-12538

Binary Details page terminates when UBS APIs return unexpected output.

DSER-13271

No field descriptions/examples exist in many suggestions for search fields on the Process Analysis page.

DSER-13295

For processes that have a very large number of events, the Process Analysis page for that process can be manually reloaded to load additional events until the query is completed in the background.

DSER-14090

If CB Defense is enabled on the PSC with WSC integration enabled, and you remove CB Defense, the WSC integration is not disabled.

DSER-14148

When Investigate search bar overflows to multiple lines, you cannot use keyboard navigation or selection.

DSER-15013

Rule Preview links show inconsistent result counts when you use wildcards on the Policies page.

DSER-15052

More Watchlist Notification emails are sent than the number of Watchlist hits or alerts.

DSER-15187

process_publisher searches on the Investigate page lead to signed and unsigned binaries.

DSER-15385

Result count drops and rises when changing filters or terms on Investigate search.

DSER-16083

When editing a watchlist name or description on the Watchlists page, if the backspace key is used to delete the entire entry, the entry gets rewritten to the original value. This happens if the input is highlighted and deleted or if the backspace key is held.

DSER-16084

In the Update Watchlist API, an empty Name field is allowed.

DSER-16087

In the Create New Report API, the API responds with a 500 error if a negative timestamp is submitted.

DSER-16190

The device_policy field is not always populated in API data or Investigate filters.

DSER-16406

Process Count in Rule Preview on Policies page is different from Investigate results count.

DSER-16760

Hits popover in Investigate page displays invalid date and no metadata.

DSER-16994

After adding a large number of Reports to a Watchlist, the Watchlist will no longer show any Reports in the console.

DSER-17129

Filemods on the Process Analysis page do not display the hash of a file.

DSER-17465

Investigate right pane is sometimes missing cmdline.

DSER-17544

On the Investigate page, the parent process in the right panel sometimes randomly shows counts.

DSER-17741

Investigate page sends two queries when loading the Alert link after the Investigate page was previously visited

DSER-17944

Clear search button clears just the search bar and not selected filters on the Investigate page

DSER-18129

search_validation API endpoint returns 200 HTTP response on internal server error.


August 19, 2019 release


CB LiveOps

Improved In Progress visibility

We have added an In Progress status in the Devices tab to give more insight into a query. This status appears when a device has checked in with the cloud backend, which has received the query and is running the query and uploading results.

LQ Device View - In Progress .png

Additional recommended queries

Since our last release, we have more than doubled the number of recommended queries that are available in the Recommended tab. These queries are expertly crafted by our internal threat research team and CB LiveOps experts. For more queries, check out our public Query Exchange.


CB ThreatHunter

Save favorite searches

CB ThreatHunter now lets you save favorite searches. There are two new icons on the Investigate page: a star symbol and a down-arrow.

Favorites icons in search bar.png

  1. Type a search into the search bar.
  2. Click the star icon. You can optionally rename the search.
    Create Favorites.png
  3. Click Save.

After a favorite search is saved, any user can re-run that search. Click the down arrow to view searches. Click the favorite search to add that search to the search bar.

Favorites list.png

 

 Users who have the Analyst 3, Admin, and Super Admin roles can:

  • Rename favorite searches
  • Remove favorite searches

If you run the same search one or more times each day, consider using the Add search to threat report feature to create a custom automated Watchlist. This will run your search in the background 24 hours a day, potentially alerting you to any matches on that search.

You can use favorite searches as building blocks. If you frequently use the same set of search terms, you can create a Favorite that includes that sequence, and append it to situation-specific searches.

For example, you might frequently search for an activity that originates from a large number of web browsers. Perhaps one day you're searching for any time that browsers have connected to a potentially malicious domain, and another day you're searching for browser activity that loaded a potentially malicious module. You can type out the entire search each time; for example: 

netconn_domain:hackerz.tech AND (process_name:chrome.exe OR process_name:firefox.exe OR process_name:microsoftedge*.exe)

modload_hash:6426cf806ecfc1432326bd4e0c9d0bba25b8db8ff5a79ef2722e7ddd889a8f30 AND (process_name:chrome.exe OR process_name:firefox.exe OR process_name:microsoftedge*.exe)

Or, you can create a Favorite with  search process_name:chrome.exe OR process_name:firefox.exe OR process_name:microsoftedge*.exe and name it "Browsers".

The next time your search includes all browsers, you can type out the specifics of the unique search, open the list of Favorites, and select the "Browsers" favorite. CB ThreatHunter will append the Favorite's contents into the search bar and add it to your search query.

New search fields

We’ve introduced two new search fields:

  • enriched:true — Helps you find all CB Defense data that is enriched by the PSC analytics engine.
  • process_cmdline_length — Lets you find processes that were launched by using a lengthy command line (for example, process_cmdline_length:[100 to *]).

Known issues

Issue ID

Description

TPLAT-7568

The Signatures section of Binary Details page shows unknowns due to signature API endpoint responding with a 404 error for binaries that have 1+ digital signatures.

DSER-11445

Hovering the mouse on a Investigate search filter hides the percentage values.

DSER-11959

When user types - or + and then accepts a suggested search field name, the + or - character is removed from the search bar on the Investigate page.

DSER-12538

Binary Details page terminates when UBS APIs return unexpected output.

DSER-13271

No field descriptions/examples exist in many suggestions for search fields on the Process Analysis page.

DSER-13295

For processes that have a very large number of events, the Process Analysis page for that process can be manually reloaded to load additional events until the query is completed in the background.

DSER-14090

If CB Defense is enabled on the PSC with WSC integration enabled, and you remove CB Defense, the WSC integration is not disabled.

DSER-14148

When Investigate search bar overflows to multiple lines, you cannot use keyboard navigation or selection.

DSER-15013

Rule Preview links show inconsistent result counts when you use wildcards on the Policies page.

DSER-15052

More Watchlist Notification emails are sent than the number of Watchlist hits or alerts.

DSER-15187

process_publisher searches on the Investigate page lead to signed and unsigned binaries.

DSER-15385

Result count drops and rises when changing filters or terms on Investigate search.

DSER-16083

When editing a watchlist name or description on the Watchlists page, if the backspace key is used to delete the entire entry, the entry gets rewritten to the original value. This happens if the input is highlighted and deleted or if the backspace key is held.

DSER-16084

In the Update Watchlist API, an empty Name field is allowed.

DSER-16087

In the Create New Report API, the API responds with a 500 error if a negative timestamp is submitted.

DSER-16190

The device_policy field is not always populated in API data or Investigate filters.

DSER-16406

Process Count in Rule Preview on Policies page is different from Investigate results count.

DSER-16760

Hits popover in Investigate page displays invalid date and no metadata.

DSER-16994

After adding a large number of Reports to a Watchlist, the Watchlist no longer shows any Reports.

DSER-17129

Filemods on the Process Analysis page do not display the hash of a file.

DSER-17465

Investigate right pane is sometimes missing cmdline.

DSER-17542

Paths with leading / or \ in facets will not work when selected.

DSER-17544

On the Investigate page, the parent process in the right panel sometimes randomly shows counts.

DSER-17741

Investigate page sends two queries when loading Alert link after Investigate page was previously visited

 


August 5, 2019 release


Predictive Security Cloud

Relative time zones

When a date and time are displayed in the UI, a tool tip now indicates the relative timezone.

For example, if the device time is reported as 4:41:37pm Aug 1, 2019, and you are located in the U.S. Pacific time zone (UTC -07:00), the device time data is reported as 4:41:37pm Aug 1, 2019.

When you hover your mouse over the device time cell, a tool tip shows the timezone into which the timestamp has been converted.

Timestamp with timezone popup.png

 

 

 

 

 

 

 

Prevent users from changing their roles

Carbon Black now restricts user from changing their role to protect users from accidentally demoting themselves into a role with fewer permissions. Because users could never promote themselves into a role with more permissions, self-demotions required a more powerful user to reverse the change. These situations are now avoided.


CB LiveOps

Fixed in this release

Issue ID

Description

DSER-13859

Filters on the Results page sporadically disappeared when selecting a device filter that resulted in non-matching or error devices.

 


CB ThreatHunter

New search fields

Search field Description Examples

process_cmdline_length

Helps track down processes that have unusually long command lines.

search for process_cmdline_length:[100 TO *]

enriched

Helps surface the behavior-based event data that is provided by CB Defense.

Note: This field was added to sensor data on July 17, 2019. It will take 30 days until all data is tagged with this new field.

search for enriched:true to find all enriched data

search for -enriched:true to find all non-enriched data

 

Fixed in this release

Issue ID

Description

DSER-14758

Searching by device_internal_ip returned no results for CB ThreatHunter-native events on the Investigate page.

DSER-15767

When the PSC has no recent data for your organization, the Enabled Watchlists page displayed an unhelpful error. The error now reads "no hits available for past 3 days".

DSER-16153

Improved the accuracy of the Process Start Time that the Process Analysis page reports.

DSER-16482

Add Query to Watchlist gave an error when certain characters existed in search field values.

DSER-17060

Event counts on the Processes right pane shows as "---", not "0", for the enriched data stream.

DSER-17451

In some situations, the bottom pagination bar on the Process Analysis page did not load.

.

Known issues

Issue ID

Description

TPLAT-7568

Signatures section of Binary Details page shows unknowns due to signature API endpoint responses of 404 error for binaries that have 1+ digital signatures.

DSER-11445

Hovering the mouse on a Investigate search filter hides the percentage values.

DSER-11959

When user types - or + and then accepts a suggested search field name, the + or - character is removed from the search bar on the Investigate page.

DSER-12538

Binary Details page terminates when UBS APIs return unexpected output.

DSER-13271

No field descriptions/examples exist in many suggestions for search fields on the Process Analysis page.

DSER-13295

For processes that have a very large number of events, the Process Analysis page can be manually reloaded to load additional events until the query is completed in the background.

DSER-14090

If CB Defense is enabled on the PSC with WSC integration enabled, and you remove CB Defense, the WSC integration is not disabled.

DSER-14148

When the Investigate search bar overflows to multiple lines, you cannot use keyboard navigation or selection.

DSER-15013

Rule Preview links show inconsistent result counts when you use wildcards on the Policies page.

DSER-15052

More Watchlist Notification emails are sent than the number of Watchlist hits or alerts.

DSER-15187

process_publisher searches on the Investigate page lead to signed and unsigned binaries.

DSER-15385

Result count drops and rises when changing filters or terms on Investigate search.

DSER-16083

When editing a watchlist name or description on the Watchlists page, if the backspace key is used to delete the entire entry, the entry gets rewritten to the original value. This happens if the input is highlighted and deleted or if the backspace key is held.

DSER-16084

In the Update Watchlist API, an empty Name field is allowed.

DSER-16087

In the Create New Report API, the API responds with a 500 error if a negative timestamp is submitted.

DSER-16190

The device_policy field is not always populated in API data or Investigate filters.

DSER-16406

Process Count in Rule Preview on Policies page is different from Investigate results count.

DSER-16760

Hits popover in Investigate page displays invalid date and no metadata.

DSER-16994

After adding a large number of Reports to a Watchlist, the Watchlist no longer shows any reports in the UI.

DSER-17129

Filemods on the Process Analysis page do not display the hash of a file.

DSER-17465

Investigate right pane is sometimes missing cmdline.

DSER-17542

Facet paths with leading / or \ do not work when selected in facets

DSER-17544

On the Investigate page, the parent process in the right panel sometimes shows counts.


Carbon Black, Inc. | 1100 Winter Street, Waltham, MA 02451 ?USA | Tel: 617.393.7400

Copyright © 2011–2019 Carbon Black, Inc. All rights reserved. Carbon Black, CB Defense, Cb ThreatHunter, CB ThreatSight, and CB LiveOps are registered trademarks and/or trademarks of Carbon Black, Inc. in the United States and other countries. All other trademarks and product names may be the trademarks of their respective owners.

Tags (2)
0 Kudos
Article Information
Author:
Creation Date:
‎08-05-2019
Views:
817
Contributors