We’re migrating product documentation to docs.vmware.com, starting with Carbon Black Cloud. Learn more.

PSC Release Notes May 2019

PSC Release Notes May 2019

This May 2019 release notes article contains information about the following releases:

 

May 28, 2019 release


CB Defense

Delete a file from the Alert Triage page

You can now delete a file from the Alert Triage page. Selecting a file provides details on the file, and the ability to take action on it.

Copy of alert-triage-file1.png

 


CB ThreatHunter

Sort order on Watchlists page persists

When you change the sort order on the Watchlists page, that setting persists across sessions in the same browser.

Watchlist sorting persistent.png

 

 

 

 

 

 

Investigate page improvements

When you start a search by first selecting a filter option, and then add query terms to the Search Bar, the resulting search results now honor the filter selections as well as Search Bar terms.

The Device Group filter category has been renamed to Policy, to better represent the data upon which it acts.

Device Group renamed to Policy (1).png

 

 

 

 

 

 

 

 

 

 

 

 

Fixed in this release

Issue ID

Description

DSER-14269

On the Watchlists page and related screens, when you select a checkbox and take action such as Add or Subscribe, the checkboxes remain selected after the action is successfully completed.

DSER-16076

Investigate search results sometimes include exact duplicate results in pairs.

DSER-16099

Process Analysis tree shows only one node.

DSER-13061

In the Feed Manager Replace Reports API, the response included a 500 HTTP status code when it should be 400.

DSER-14988

Report tags were incomplete for some third-party Watchlists.

 

Known issues

Issue ID

Description

TPLAT-6201

The First seen as field on the Binary Details page (and from the API) does not return paths in prevalence order; therefore, it is not possible to guarantee the actual first seen instance.

DSER-10685

Text remains in Investigate Search Bar if user navigates away and uses navigation Investigate option return to the Investigate page.

DSER-11445

Hovering the mouse on a Investigate search filter hides the percentage values.

DSER-11662

After you deselect a selected filter on the Investigate page, an otherwise-empty search still displays search results.

DSER-11904

Count of devices with hash on the Process Analysis page is different from count of devices on the Investigate page.

DSER-11959

When user types - or + and then accepts a suggested search field name, the + or - character is removed from the search bar on the Investigate page.

DSER-12453

ThreatHunter Watchlist tags do not show up on the Notes/Tags tab of the Alerts page — these are a different type of tag data.

DSER-12538

Binary Details page crashes when UBS APIs return unexpected output.

DSER-13177

The User Guide is missing from the Help menu for organizations that subscribe to CB ThreatHunter.

DSER-13271

No field descriptions/examples in many suggestions for search fields on Process Analysis page.

DSER-13283

When you search for Reports for a new Watchlist, you cannot access or add a Report that was returned by the search.

DSER-13295

For processes that have a very large number of events, the Process Analysis page for that process can be manually reloaded to load additional events until the query is completed in the background.

DSER-13636

Facets do not update when you navigate away from the Investigate page and then navigate back.

DSER-13773

Watchlist link still showing on Process Analysis page side panel after Watchlist is deleted.

DSER-14090

If CB Defense is enabled on the PSC with WSC integration enabled, and you remove CB Defense, the WSC integration is not disabled.

DSER-14148

When Investigate search bar overflows to multiple lines, user cannot use keyboard navigation or selection.

DSER-14276

When user deletes a custom Watchlist from enabled Watchlists page, results section of page reports "no watchlists enabled".

DSER-14758

Searching by device_internal_ip returns no results for CBTH-native events on the Investigate page.

DSER-14764

For an organization that only uses ThreatHunter, the CB Defense icon still appears in the Explorer tray and the Programs List.

DSER-14832

When there is only one device_group available, the /results API does not return device_group and the Device Group filter group disappears from the Investigate page.

DSER-15013

Rule Preview links show inconsistent result counts when you use wildcards on the Policies page.

DSER-15052

More Watchlist Notification emails sent than number of Watchlist Hits or Alerts.

DSER-15187

"process_publisher" searches on the Investigate page lead to signed and unsigned binaries.

DSER-15385

Result count drops and rises when changing filters or terms on Investigate search.

DSER-15386

When user deletes the last Report in an enabled Watchlist, the Reports tab on Watchlists page shows all available reports instead of No Reports for this Watchlist.

DSER-15931

Report Search on Watchlists page allows user to submit search when Search Bar is empty.

DSER-16080

Report Search on Watchlists page returns a 500 error when querying for more than 10,000 reports.

DSER-16083

On the Watchlists page, the backspace key does not behave as expected to edit a Watchlist name or description

DSER-16084

In the Update Watchlist API, an empty Name field is allowed.

DSER-16087

In the Create New Report API, the API responds with 500 error if a negative timestamp is submitted

DSER-16190

The device_policy field is not always populated in API data or Investigate filters

 


May 20, 2019 release


CB Defense

This release includes an improvement to our database connection pool settings, which should result in increased stability.


May 13, 2019 release


CB Defense

Fixed in this release

Issue ID

Description

DSER-15875

Fixed an issue where upgrading to Chrome v74 caused the Roles page to crash.

DSER-15708

Fixed an issue where the Prevent with Policies section of Getting Started appeared when it did not apply to the active products.

 


CB ThreatHunter

Fixed in this release

Issue ID

Description

DSER-15386

When user deleted the last Report in an enabled Watchlist, the Reports tab showed all available Reports rather than No Reports for this Watchlist.

DSER-15821

Add Watchlists Build Tab: Could not add Threat Report to Watchlist.

DSER-15822

Syntax highlighting for modload_hash field highlighted incorrectly.

DSER-15861

Viewing Watchlist With No Reports showed ALL Reports.

 

Known issues

ID

Description

TPLAT-6201

First seen as field on the Binary Details page (and from the API) does not return paths in prevalence order; therefore, it is not possible to guarantee the actual first seen instance.

DSER-10685

Text remains in Investigate search bar if user navigates away and uses navigation Investigate option return to the Investigate page.

DSER-11445

Hovering the mouse on a Investigate search filter hides the percentage values.

DSER-11662

After you deselect a selected filter on the Investigate page, an otherwise-empty search still displays search results.

DSER-11904

Count of devices with hash on the Process Analysis page is different than count of devices on the Investigate page.

DSER-11959

When user types - or + and then accepts a suggested search field name, the + or - character is removed from search bar on the Investigate page.

DSER-12453

ThreatHunter Watchlist tags do not show up on the Notes/Tags tab of the Alerts page — these are a different type of tag data.

DSER-12538

Binary Details page crashes when UBS APIs return unexpected output.

DSER-13061

Feed API "replace reports" API call responds with 500 when it should send 400.

DSER-13177

The User Guide is missing from the Help menu for organizations that subscribe to CB ThreatHunter.

DSER-13271

No field descriptions/examples in many suggestions for search fields on Process Analysis page.

DSER-13283

When you search for Reports for a new Watchlist, you cannot access/add a Report that was returned by the search.

DSER-13295

For processes that have a very large number of events, the Process Analysis page for that process can be manually reloaded to load additional events until the query is completed in the background.

DSER-13636

Facets do not update when you navigate away from the Investigate page and then navigate back.

DSER-13773

Watchlist link still showing on Process Analysis page side panel after Watchlist is deleted.

DSER-14090

If CB Defense is enabled on the PSC with WSC integration enabled, and you remove CB Defense, the WSC integration is not disabled.

DSER-14148

When Investigate search bar overflows to multiple lines, user cannot use keyboard navigation or selection.

DSER-14276

When user deletes a custom Watchlist from enabled Watchlists page, results section of page reports "no watchlists enabled".

DSER-14758

Searching by device_internal_ip returns no results for CBTH-native events on the Investigate page.

DSER-14764

For an organization that only uses ThreatHunter, the CB Defense icon still appears in the Explorer tray and the Programs List.

DSER-14832

When there is only one device_group available, the /results API does not return device_group and the Device Group filter group disappears from the Investigate page.

DSER-15013

Rule Preview links show inconsistent result counts when you use wildcards on the Policies page.

DSER-15052

More Watchlist Notification emails sent than number of Watchlist Hits or Alerts.

DSER-15187

"process_publisher" searches on the Investigate page lead to signed and unsigned binaries.

DSER-15385

Result count drops and rises when changing filters or terms on Investigate search.

DSER-15386

When user deletes the last Report in an enabled Watchlist, the Reports tab on Watchlists page shows all available reports rather than No Reports for this Watchlist.

DSER-15931

Report Search on Watchlists page allows user to submit search when Search Bar is empty.

 


May 6, 2019 release

Our May 6 release of the PSC extends and improves recently released features, making visibility and prevention faster and easier.

  • In April 2019, Carbon Black released CB LiveOps recommended queries, a set of pre-built queries that are recommended by the Carbon Black threat research team. Now, you can filter recommended queries based on operating system and categories, including compliance, IT hygiene, threat hunting, and vulnerability management.
  • In April 2019, CB ThreatHunter search became more flexible, enabling users to search without specifying field names.
  • In March 2019, we introduced role-based access control (RBAC) capabilities across the PSC to give administrators granular control over user roles. In this release, we’re making it even easier to view all available roles. We’re also extending the Getting Started dashboard widget to help CB Defense users learn how to create, assign, test, and tune policies.

For more information about other recently added CB Defense and CB LiveOps features, see the April 24 PSC Release Notes.


CB Defense

Connectors renamed to API Keys

Based on customer requests, all “Connector” related terminology is updated to “API Key” terms. For example:

  • The Connectors page has been renamed to API Keys.
  • Connector Type is now referred to as API Key Access Level.
  • The API Key button that revealed the secret key is renamed to Credentials and shows both the ID and the Key.
  • API keys include 2 parts: API Secret Key (previously API Key) and API ID (previously Connector ID). 

api keys.png

 

 

 

 

 

 

 

 

Getting started with policies

The Getting Started widget can help you Prevent with policies. If you are unfamiliar with policies, four new steps can help you set up, assign, and test new policies.

gettingstartedpolicies.png

 

 

 

 

 

 

 

New user assignment design

The Users page Add User window is redesigned to more easily browse through available roles. The new view shows all the roles within a scrollable window. By toggling Show Role Descriptions, you can review and compare multiple role descriptions simultaneously.

adduserrbac.png

 

 

 

 

 

 

 

 

 

 

 

 

Improved Audit Log messages

Audit Log messages related to API Keys are updated to include the API IDs that were used, and the orgId of which they are a part. These changes make it easier to identify what API Keys were modified. Example messages:

  • Deleted API ID ABCD7MUZWJ in org 12345
  • Added API ID ABCD7MUZWJ with name test-notifications in org 12345
  • User test@example.com retrieved secret key for API ID ABCD7MUZWJ in org 12345

 

Detection analytics improvements

In a continued effort to improve detection analytics, new detection capabilities and false positive reduction fixes have been added. In this release, we focused primarily on attacks that leverage native Windows applications to perform malicious activity. Additionally, we focused on reducing high-impact false positives related to code injection and port scanning activities. You should see improved detection capability in the Alerts page.

Please see the following list of improvements:

Type

Name

Description

New Detection

Microsoft Office Apps Invoking Script Hosts

Improved detection capability for Microsoft Office applications that invoke Powershell and other script hosts, by re-categorizing and elevating the score of these alerts and thereby making them more prominent.

New Detection

Mavinject Injection Malicious Code

Improved detection of attackers that leverage Mavinject, a native signed Windows application, to inject malicious code into other applications.

New Detection

MSBuild Making Network Connections

Improved detection of attackers that leverage MSBuild, a native signed Windows application, to make malicious network connections to other devices.

New Detection

Constructing Applications on the Fly

Improved detection of attackers that leverage native Windows tools to download and construct malicious applications from the Internet in an attempt to evade standard detection techniques.

New Detection

Credential Theft

Improved ability for analytics to detect attempted credential theft that evades standard Windows security policy enforcement.

False Positive Reduction

Code Injection

Eliminated alerts related to uncompromised Windows services that inject code into email applications that are known to not be suspicious.

False Positive Reduction

Code Injection

Eliminated alerts related to uncompromised Windows services that inject code into custom, whitelisted Office applications that are known to not be suspicious.

False Positive Reduction

Port Scanning

Eliminated alerts related to a common network security application that is known to scan local networks to verify connecting devices.

 

Fixed in this release

Issue ID

Description

DSER-15293

Fixed an issue where a role that had the Manage Devices permission could not access the Endpoints page’s Send Installation Request button.

DSER-15077

Fixed an issue where the UI gave the impression that a user’s email address could be changed after account creation.

DSER-15073

Fixed an issue where resetting 2FA for a user actually reset the user trying to do the reset.

DSER-14828

Fixed an issue where initializing a Live Response session did not set an expiration time, resulting in hung sessions when no command was issued.

DSER-8931

Fixed an issue where users could not add or delete tags for an alert.

 

Known issues

ID

Description

DSER-4390

Some sensors that should be Eligible for Upgrade are not marked as such.

DSER-5437

Additional markup is added to events forwarded via the event forwarder.

DSER-9664

Occasionally, clicking the link on an emailed alert notification results in the Alert Triage page not rendering correctly.

DSER-9670

Searching for “Threat Category: Malware” on the Alerts page returns results that are non-malware.

DSER-10342

Selecting Take Action > Uninstall from the Endpoints page fails to uninstall sensors in some cases. This leaves the sensor installed on an endpoint, but unable to communicate with the cloud.

DSER-10667

When an application's reputation is first determined to be NOT_LISTED and is then whitelisted, events shows WHITE_LISTED on the Investigate page. The application still shows as NOT_LISTED in the Applications tab.

DSER-10714

An incorrect API URL is listed on Settings > API Keys > Download. Please see this KB for the proper URLs: https://community.carbonblack.com/t5/Knowledge-Base/CB-Defense-What-URLs-are-used-to-access-the-API/....

DSER-10961

Older macOS sensor versions allow deletion of sensor files from the backend. This can occur on macOS sensor versions 3.1 and lower. This only occurs if an org administrator manually triggers the deletion.

DSER-11370

If an alert dismissal reason is selected when dismissing an alert, the alert does not dismiss properly.

DSER-12676

A notification for an alert can be sent when dismissing an alert, causing duplicate notifications to appear.

DSER-12728

In rare situations, navigating to some pages in the UI causes the page to render as gray. Refresh the page to render the page as expected.

DSER-13914

Auto-delete of deregistered devices is not functioning properly. Manual deregistration is working as expected.

DSER-14906

When using the /device/all?fileformat=xyz API to export all devices, deleted devices are incorrectly included in the export.

 


CB ThreatHunter

Renamed reputation fields on Events API

For requests to the Event search API endpoint (/threathunter/search/v1/orgs/{{org_key}}/events/_search), the reputation fields were incorrectly named.  We have updated these field names as follows:

Previous field name

Current field name

modload_reputation

modload_effective_reputation

scriptload_reputation

scriptload_effective_reputation

crossproc_reputation

crossproc_effective_reputation

childproc_reputation

childproc_effective_reputation

Note: No other fields are being renamed at this time.

 

IOCs must include field-qualified search parameters when being added to a Watchlist

When adding an IOC to a new or existing Watchlist via the Investigate page, the PSC requires all search parameters to be qualified with an explicit field.

Failure:ioc failure.png

 

 

Success:

ioc success.png

 

 

 

 

 

 

 

 

 

 

New ThreatHunter API versions

Updated the following APIs:

  • Feed Manager updated to v2.
  • Process Search updated to v1.
  • Watchlists updated to v3.

API documentation is available on our Developers Website.

 

Also in this release

  • On the Watchlists page, you can sort by Severity on the Hits tab.
  • The alert_id field on Investigate search now includes both types of Alerts — those from CB Analytics and those from Watchlists.
  • Investigate search now allows you to search by name of your CB ThreatHunter Watchlist, using the new watchlist_name field.

 

Fixed in this release

Issue ID

Description

DSER-13337

Threat Reports were deleted but still appeared in the Watchlist Details API response.

DSER-14731

Watchlist Description field was required by API but not in UI (now not required).

For information about other recently fixed issues, see the April 15 and April 29 PSC Release Notes.

 

Known issues

ID

Description

TPLAT-6201

First seen as field on the Binary Details page (and from the API) does not return paths in prevalence order; therefore, it is not possible to guarantee the actual first seen instance.

DSER-10685

Text remains in Investigate search bar if user navigates away and uses navigation Investigate option return to the Investigate page.

DSER-11445

Hovering the mouse on a Investigate search filter hides the percentage values.

DSER-11662

After you deselect a selected filter on the Investigate page, an otherwise-empty search still displays search results.

DSER-11904

Count of devices with hash on the Process Analysis page, is different than count of devices on the Investigate page.

DSER-11959

When user types "-" or "+" then accepts a suggested search field name, the + or - character is removed from search bar on the Investigate page.

DSER-12453

ThreatHunter Watchlist tags do not show up on the Notes/Tags tab of the Alerts page — these are a different type of tag data.

DSER-12538

Binary Details page crashes when UBS APIs return unexpected output.

DSER-13061

Feed API "replace reports" API call responds with 500 when it should send 400.

DSER-13177

The User Guide is missing from the Help menu for organizations that subscribe to CB ThreatHunter.

DSER-13271

No field descriptions/examples in many suggestions for search fields on Process Analysis page.

DSER-13283

When you search for Reports for a new Watchlist, you cannot access/add a Report that was returned by the search.

DSER-13295

For processes that have a very large number of events, the Process Analysis page for that process can be manually reloaded to load additional events until the query is completed in the background.

DSER-13636

Filters do not update when you navigate away from the Investigate page and then navigate back.

DSER-13773

Watchlist link still show on the Process Analysis page side panel after the Watchlist is deleted.

DSER-14090

If CB Defense is enabled on the PSC with WSC integration enabled, and you remove CB Defense, the WSC integration is not disabled.

DSER-14148

When the Investigate search bar overflows to multiple lines, you cannot use keyboard navigation or selection.

DSER-14276

When you delete a custom Watchlist from an enabled Watchlists page, results section of page reports "no watchlists enabled".

DSER-14758

Searching by device_internal_ip returns no results for CB ThreatHunter-native events on the Investigate page.

DSER-14764

For an organization that only uses CB ThreatHunter, the CB Defense icon still appears in the Explorer tray and the Programs List.

DSER-14832

When only one device_group is available, the /results API does not return device_group and the Device Group filter group disappears from the Investigate page.

DSER-15013

Rule Preview links show inconsistent result counts when you use wildcards on the Policies page.

DSER-15052

More Watchlist Notification emails are sent than the number of Watchlist Hits or Alerts.

DSER-15081

In some cases, script load events are reported as process creation events.

DSER-15187

"process_publisher" searches on the Investigate page lead to signed and unsigned binaries.

DSER-15385

Result count drops and rises when changing filters or terms on Investigate search.

DSER-15386

When user deletes the last Report in an enabled Watchlist, the Reports tab on Watchlists page shows all available reports rather than "No Reports for this Watchlist".

DSER-15532

Starting a search on the Process Analysis page with a hyphen-prefixed field name yields no results.

DSER-15704

Configurable filters on Investigate page do not persist after a user signs out.

DSER-15767

When an organization has no recent data, the Watchlists page submits a red toast error.

DSER-15784

ThreatHunter searches that send parameter data with the wrong type cause 502 Bad Gateway error.

DSER-15805

Add Query to Watchlist on Investigate page while selecting the Include historical data checkbox causes "Error while creating IOC"; but the Watchlist is still created.

DSER-15821

Add Watchlists Build tab: Cannot add Threat Report to Watchlist. When adding Threat Report to Watchlist fails, Watchlist is created with no Reports, and shows all Reports (due to DSER-15861).

DSER-15822

Syntax highlighting for modload_hash field highlights incorrectly.

DSER-15861

Viewing Watchlist with no Reports shows all Reports.

 


CB LiveOps

Fixed in this release

Issue ID

Description

DSER-14609

UI inconsistencies on the Query Builder

For information about other recently fixed issues, see the April 29 PSC Release Notes.

 

To print: Click the Show options menu (3 vertical dots next to the article), click Printer Friendly Page, right-click the page, and then click Print.


Carbon Black, Inc.      | 1100 Winter Street, Waltham, MA 02451 ​USA   | Tel: 617.393.7400

Copyright © 2011–2019 Carbon Black, Inc. All rights reserved. Carbon Black, CB Defense, CB LiveOps, CB ThreatSight, and CB ThreatHunter are registered trademarks and/or trademarks of Carbon Black, Inc. in the U.S. and/or other countries. All other trademarks and registered trademarks are the property of their respective owners.

Comments

Can I get PDF document?

Hello @yukisato -- I don't know if they plan on making the release notes available as a PDF, but if you go to the link below and use the print function from your browser you should have the option to save off the doc as a PDF before printing.

Let me know if you have any issues.

https://community.carbonblack.com/t5/tkb/articleprintpage/tkb-id/product-docs-news/article-id/2132

 

Capture.PNG

Article Information
Author:
Creation Date:
‎05-07-2019
Views:
1606