Environment
- Carbon Black Cloud Console: All Versions
- Carbon Black Cloud Windows Sensor: 3.5.0.1278 and higher
- Carbon Black Cloud Linux Sensor: 2.6.0 and higher
Objective
Identify data in the Carbon Black Cloud Console that is related to banned hashes
Resolution
Below are three examples of how to find data related to banned hashes:
- Navigate to the Alerts page and look for alerts with the text:
- "Process xxxx invoked another process (yyyy). Policy actions applied: Deny"
- In an Enterprise EDR only org, the Alert Type facet category is not shown
- In an Endpoint Standard + Enterprise EDR org, Alerts for Hash Banning will continue to be CB Analytics Alerts
- Alternatively, it is possible to search on the Investigate page for matching events:
- Search in Investigate on the Processes tab for any combination of the following:
- sensor_action:DENY
- sensor_action_reason:POLICY_DENY
- hash:(hash_on_the_company_banned_list)
- Select Process Analysis for any of the matching processes, then search in the Events Table search bar for any combination of the following:
- sensor_action_reason:POLICY_DENY
- filemod_sha256:(hash_on_the_company_banned_list)
- Alerts page search:
- sensor_action:DENY
- ttp:run_banned_list_app
Related Content
Carbon Black Cloud: What are the requirements for Banned Hash Banning?