Environment
- Carbon Black Cloud(Formerly PSC) Console: All Supported Versions
- Endpoint Standard(Formerly CB Defense)
- Enterprise EDR(Formerly CB ThreatHunter)
- Workload(Formerly CB Defense for VMware + VMware AppDefense)
- Audit and Remediation(Formerly CB LiveOps)
- Microsoft Windows: All Supported Versions
Question
Since it is possible for a malware to utilize API calls to perform malicious activity, are all APIs monitored?
Answer
Sensor 3.8 and Above
- Enterprise EDR (EEDR) Windows sensors now detect and report associated API information relating to Windows cross process events (previously available in Endpoint Standard-enabled environments only) in Sensor Version(s) 3.8 and above. Users can now search on crossproc_api events within the admin console in EEDR-only environments.
Sensor 3.7 and Below
- It is not possible to monitor all APIs in Sensor Version(s) 3.7 and below. The Sensor will monitor all behavior and related TTPs will be captured
Additional Notes
Although a subset of monitored APIs can be exposed with search field crossproc_api, API specific monitoring will be avoided going forward in future sensor versions
Related Content