CB LiveOps
Query History Table and Status Bar improvements
To make Live Query results easier to interpret, we consolidated the Query History Table. Based on user feedback, we removed the Matches and Last Result columns, rearranged the remaining columns, and added three new device-centric columns:
- Responded: These devices have run the query and returned results back to the cloud by successfully matching the query (one or more results returned), not matching the query (zero results returned), or returning with an error.
- In Progress: These devices have received the query and are in the process of running it and uploading results.
Response Pending: These devices have not yet received the query. This can include devices that are offline or that have not checked in since the query was started.
We removed the Timed out query status because it caused confusion. A query can now be completed if all devices have responded or if seven days have elapsed.
We changed the progress bar on the individual query results page. The progress bar shows the same information that is available on the Query History table, with the addition of a device count. It will dynamically update as devices respond.
CB ThreatHunter
Favorite search improvements
When a Favorite Search is selected on the Investigate page, it will replace the existing search bar contents rather than append the Favorite Search to existing text. This change was made based on customer feedback.
Improved search field: enriched
We renamed the legacy search field to enriched in Investigate and Process Analysis search interfaces to more accurately reflect the returned results.
- When searching in Investigate for analytics-enriched results, search supports enriched:true as the best way to find those events and processes.
- All future Watchlist IOCs should migrate to using enriched:true and remove legacy:true.
- The search interface and all Watchlist IOCs support both enriched and legacy search fields for at least six months, after which time the support for legacy will be removed.
Fixed in this release
|
Issue ID |
Description |
|
DSER-17542 |
Paths with leading / or \ in facets work when selected. |
Known issues
|
Issue ID |
Description |
|
TPLAT-7568 |
The Signatures section of Binary Details page shows unknowns due to signature API endpoint that is responding with a 404 error for binaries that have 1+ digital signatures. |
|
DSER-11445 |
Hovering the mouse on a Investigate search filter hides the percentage values. |
|
DSER-11959 |
When user types - or + and then accepts a suggested search field name, the + or - character is removed from the search bar on the Investigate page. |
|
DSER-12538 |
Binary Details page terminates when UBS APIs return unexpected output. |
|
DSER-13271 |
No field descriptions/examples exist in many suggestions for search fields on the Process Analysis page. |
|
DSER-13295 |
For processes that have a very large number of events, the Process Analysis page for that process can be manually reloaded to load additional events until the query is completed in the background. |
|
DSER-14090 |
If CB Defense is enabled on the PSC with WSC integration enabled, and you remove CB Defense, the WSC integration is not disabled. |
|
DSER-14148 |
When Investigate search bar overflows to multiple lines, you cannot use keyboard navigation or selection. |
|
DSER-15013 |
Rule Preview links show inconsistent result counts when you use wildcards on the Policies page. |
|
DSER-15052 |
More Watchlist Notification emails are sent than the number of Watchlist hits or alerts. |
|
DSER-15187 |
process_publisher searches on the Investigate page lead to signed and unsigned binaries. |
|
DSER-15385 |
Result count drops and rises when changing filters or terms on Investigate search. |
|
DSER-16083 |
When editing a watchlist name or description on the Watchlists page, if the backspace key is used to delete the entire entry, the entry gets rewritten to the original value. This happens if the input is highlighted and deleted or if the backspace key is held. |
|
DSER-16084 |
In the Update Watchlist API, an empty Name field is allowed. |
|
DSER-16087 |
In the Create New Report API, the API responds with a 500 error if a negative timestamp is submitted. |
|
DSER-16190 |
The device_policy field is not always populated in API data or Investigate filters. |
|
DSER-16406 |
Process Count in Rule Preview on Policies page is different from Investigate results count. |
|
DSER-16760 |
Hits popover in Investigate page displays invalid date and no metadata. |
|
DSER-16994 |
After adding a large number of Reports to a Watchlist, the Watchlist will no longer show any Reports in the console. |
|
DSER-17129 |
Filemods on the Process Analysis page do not display the hash of a file. |
|
DSER-17465 |
Investigate right pane is sometimes missing cmdline. |
|
DSER-17544 |
On the Investigate page, the parent process in the right panel sometimes randomly shows counts. |
|
DSER-17741 |
Investigate page sends two queries when loading the Alert link after the Investigate page was previously visited |
|
DSER-17944 |
Clear search button clears just the search bar and not selected filters on the Investigate page |
|
DSER-18129 |
search_validation API endpoint returns 200 HTTP response on internal server error. |
CB LiveOps
Improved In Progress visibility
We have added an In Progress status in the Devices tab to give more insight into a query. This status appears when a device has checked in with the cloud backend, which has received the query and is running the query and uploading results.
Additional recommended queries
Since our last release, we have more than doubled the number of recommended queries that are available in the Recommended tab. These queries are expertly crafted by our internal threat research team and CB LiveOps experts. For more queries, check out our public Query Exchange.
CB ThreatHunter
Save favorite searches
CB ThreatHunter now lets you save favorite searches. There are two new icons on the Investigate page: a star symbol and a down-arrow.
- Type a search into the search bar.
- Click the star icon. You can optionally rename the search.
- Click Save.
After a favorite search is saved, any user can re-run that search. Click the down arrow to view searches. Click the favorite search to add that search to the search bar.
Users who have the Analyst 3, Admin, and Super Admin roles can:
- Rename favorite searches
- Remove favorite searches
If you run the same search one or more times each day, consider using the Add search to threat report feature to create a custom automated Watchlist. This will run your search in the background 24 hours a day, potentially alerting you to any matches on that search.
You can use favorite searches as building blocks. If you frequently use the same set of search terms, you can create a Favorite that includes that sequence, and append it to situation-specific searches.
For example, you might frequently search for an activity that originates from a large number of web browsers. Perhaps one day you're searching for any time that browsers have connected to a potentially malicious domain, and another day you're searching for browser activity that loaded a potentially malicious module. You can type out the entire search each time; for example:
netconn_domain:hackerz.tech AND (process_name:chrome.exe OR process_name:firefox.exe OR process_name:microsoftedge*.exe)
modload_hash:6426cf806ecfc1432326bd4e0c9d0bba25b8db8ff5a79ef2722e7ddd889a8f30 AND (process_name:chrome.exe OR process_name:firefox.exe OR process_name:microsoftedge*.exe)
Or, you can create a Favorite with search process_name:chrome.exe OR process_name:firefox.exe OR process_name:microsoftedge*.exe and name it "Browsers".
The next time your search includes all browsers, you can type out the specifics of the unique search, open the list of Favorites, and select the "Browsers" favorite. CB ThreatHunter will append the Favorite's contents into the search bar and add it to your search query.
New search fields
We’ve introduced two new search fields:
- enriched:true — Helps you find all CB Defense data that is enriched by the PSC analytics engine.
- process_cmdline_length — Lets you find processes that were launched by using a lengthy command line (for example, process_cmdline_length:[100 to *]).
Known issues
|
Issue ID |
Description |
|
TPLAT-7568 |
The Signatures section of Binary Details page shows unknowns due to signature API endpoint responding with a 404 error for binaries that have 1+ digital signatures. |
|
DSER-11445 |
Hovering the mouse on a Investigate search filter hides the percentage values. |
|
DSER-11959 |
When user types - or + and then accepts a suggested search field name, the + or - character is removed from the search bar on the Investigate page. |
|
DSER-12538 |
Binary Details page terminates when UBS APIs return unexpected output. |
|
DSER-13271 |
No field descriptions/examples exist in many suggestions for search fields on the Process Analysis page. |
|
DSER-13295 |
For processes that have a very large number of events, the Process Analysis page for that process can be manually reloaded to load additional events until the query is completed in the background. |
|
DSER-14090 |
If CB Defense is enabled on the PSC with WSC integration enabled, and you remove CB Defense, the WSC integration is not disabled. |
|
DSER-14148 |
When Investigate search bar overflows to multiple lines, you cannot use keyboard navigation or selection. |
|
DSER-15013 |
Rule Preview links show inconsistent result counts when you use wildcards on the Policies page. |
|
DSER-15052 |
More Watchlist Notification emails are sent than the number of Watchlist hits or alerts. |
|
DSER-15187 |
process_publisher searches on the Investigate page lead to signed and unsigned binaries. |
|
DSER-15385 |
Result count drops and rises when changing filters or terms on Investigate search. |
|
DSER-16083 |
When editing a watchlist name or description on the Watchlists page, if the backspace key is used to delete the entire entry, the entry gets rewritten to the original value. This happens if the input is highlighted and deleted or if the backspace key is held. |
|
DSER-16084 |
In the Update Watchlist API, an empty Name field is allowed. |
|
DSER-16087 |
In the Create New Report API, the API responds with a 500 error if a negative timestamp is submitted. |
|
DSER-16190 |
The device_policy field is not always populated in API data or Investigate filters. |
|
DSER-16406 |
Process Count in Rule Preview on Policies page is different from Investigate results count. |
|
DSER-16760 |
Hits popover in Investigate page displays invalid date and no metadata. |
|
DSER-16994 |
After adding a large number of Reports to a Watchlist, the Watchlist no longer shows any Reports. |
|
DSER-17129 |
Filemods on the Process Analysis page do not display the hash of a file. |
|
DSER-17465 |
Investigate right pane is sometimes missing cmdline. |
|
DSER-17542 |
Paths with leading / or \ in facets will not work when selected. |
|
DSER-17544 |
On the Investigate page, the parent process in the right panel sometimes randomly shows counts. |
|
DSER-17741 |
Investigate page sends two queries when loading Alert link after Investigate page was previously visited |
Predictive Security Cloud
Relative time zones
When a date and time are displayed in the UI, a tool tip now indicates the relative timezone.
For example, if the device time is reported as 4:41:37pm Aug 1, 2019, and you are located in the U.S. Pacific time zone (UTC -07:00), the device time data is reported as 4:41:37pm Aug 1, 2019.
When you hover your mouse over the device time cell, a tool tip shows the timezone into which the timestamp has been converted.
Prevent users from changing their roles
Carbon Black now restricts user from changing their role to protect users from accidentally demoting themselves into a role with fewer permissions. Because users could never promote themselves into a role with more permissions, self-demotions required a more powerful user to reverse the change. These situations are now avoided.
CB LiveOps
Fixed in this release
|
Issue ID |
Description |
|
DSER-13859 |
Filters on the Results page sporadically disappeared when selecting a device filter that resulted in non-matching or error devices. |
CB ThreatHunter
New search fields
| Search field | Description | Examples |
|
process_cmdline_length |
Helps track down processes that have unusually long command lines. |
search for process_cmdline_length:[100 TO *] |
| enriched |
Helps surface the behavior-based event data that is provided by CB Defense. Note: This field was added to sensor data on July 17, 2019. It will take 30 days until all data is tagged with this new field. |
search for enriched:true to find all enriched data search for -enriched:true to find all non-enriched data |
Fixed in this release
|
Issue ID |
Description |
|
DSER-14758 |
Searching by device_internal_ip returned no results for CB ThreatHunter-native events on the Investigate page. |
|
DSER-15767 |
When the PSC has no recent data for your organization, the Enabled Watchlists page displayed an unhelpful error. The error now reads "no hits available for past 3 days". |
|
DSER-16153 |
Improved the accuracy of the Process Start Time that the Process Analysis page reports. |
|
DSER-16482 |
Add Query to Watchlist gave an error when certain characters existed in search field values. |
|
DSER-17060 |
Event counts on the Processes right pane shows as "---", not "0", for the enriched data stream. |
|
DSER-17451 |
In some situations, the bottom pagination bar on the Process Analysis page did not load. |
.
Known issues
|
Issue ID |
Description |
|
TPLAT-7568 |
Signatures section of Binary Details page shows unknowns due to signature API endpoint responses of 404 error for binaries that have 1+ digital signatures. |
|
DSER-11445 |
Hovering the mouse on a Investigate search filter hides the percentage values. |
|
DSER-11959 |
When user types - or + and then accepts a suggested search field name, the + or - character is removed from the search bar on the Investigate page. |
|
DSER-12538 |
Binary Details page terminates when UBS APIs return unexpected output. |
|
DSER-13271 |
No field descriptions/examples exist in many suggestions for search fields on the Process Analysis page. |
|
DSER-13295 |
For processes that have a very large number of events, the Process Analysis page can be manually reloaded to load additional events until the query is completed in the background. |
|
DSER-14090 |
If CB Defense is enabled on the PSC with WSC integration enabled, and you remove CB Defense, the WSC integration is not disabled. |
|
DSER-14148 |
When the Investigate search bar overflows to multiple lines, you cannot use keyboard navigation or selection. |
|
DSER-15013 |
Rule Preview links show inconsistent result counts when you use wildcards on the Policies page. |
|
DSER-15052 |
More Watchlist Notification emails are sent than the number of Watchlist hits or alerts. |
|
DSER-15187 |
process_publisher searches on the Investigate page lead to signed and unsigned binaries. |
|
DSER-15385 |
Result count drops and rises when changing filters or terms on Investigate search. |
|
DSER-16083 |
When editing a watchlist name or description on the Watchlists page, if the backspace key is used to delete the entire entry, the entry gets rewritten to the original value. This happens if the input is highlighted and deleted or if the backspace key is held. |
|
DSER-16084 |
In the Update Watchlist API, an empty Name field is allowed. |
|
DSER-16087 |
In the Create New Report API, the API responds with a 500 error if a negative timestamp is submitted. |
|
DSER-16190 |
The device_policy field is not always populated in API data or Investigate filters. |
|
DSER-16406 |
Process Count in Rule Preview on Policies page is different from Investigate results count. |
|
DSER-16760 |
Hits popover in Investigate page displays invalid date and no metadata. |
|
DSER-16994 |
After adding a large number of Reports to a Watchlist, the Watchlist no longer shows any reports in the UI. |
|
DSER-17129 |
Filemods on the Process Analysis page do not display the hash of a file. |
|
DSER-17465 |
Investigate right pane is sometimes missing cmdline. |
|
DSER-17542 |
Facet paths with leading / or \ do not work when selected in facets |
|
DSER-17544 |
On the Investigate page, the parent process in the right panel sometimes shows counts. |
Carbon Black, Inc. | 1100 Winter Street, Waltham, MA 02451 ?USA | Tel: 617.393.7400
Copyright © 2011–2019 Carbon Black, Inc. All rights reserved. Carbon Black, CB Defense, Cb ThreatHunter, CB ThreatSight, and CB LiveOps are registered trademarks and/or trademarks of Carbon Black, Inc. in the United States and other countries. All other trademarks and product names may be the trademarks of their respective owners.
