Carbon Black Cloud: Is all Windows API activity captured?
Carbon Black Cloud(Formerly PSC) Console: All Supported Versions
Endpoint Standard(Formerly CB Defense)
Enterprise EDR(Formerly CB ThreatHunter)
Workload(Formerly CB Defense for VMware + VMware AppDefense)
Audit and Remediation(Formerly CB LiveOps)
Microsoft Windows: All Supported Versions
Since it is possible for a malware to utilize API calls to perform malicious activity, are all APIs monitored?
Sensor 3.8 and Above
Enterprise EDR (EEDR) Windows sensors now detect and report associated API information relating to Windows cross process events (previously available in Endpoint Standard-enabled environments only) in Sensor Version(s) 3.8 and above. Users can now search on crossproc_api events within the admin console in EEDR-only environments.
Sensor 3.7 and Below
It is not possible to monitor all APIs in Sensor Version(s) 3.7 and below. The Sensor will monitor all behavior and related TTPs will be captured
Although a subset of monitored APIs can be exposed with search field crossproc_api, API specific monitoring will be avoided going forward in future sensor versions