Environment
- Carbon Black Cloud Console: All Versions
- Endpoint Standard (was CB Defense)
- Carbon Black Cloud Sensor: 2.0.x.x and Higher
- Apple macOS: All Supported Versions
- Microsoft Windows: All Supported Versions
Objective
This article provides the introduction to confirm the effective or applied reputation in events from VMware Carbon Black Cloud Console
Resolution
Alert Triage page
- Log into Console
- Go to Alerts page and locate desired Alert (alert_id)
- Go to Alert Triage page for alert_id
- Expand Event details below process tree
- Review details of desired process for event_id of interest (Parent, Process, or Target)
- Effective reputation is what reputation was applied at time of event on endpoint
Additional Notes
Reputation Field | Description |
---|
Parent reputation Process reputation Target reputation | Reputation in Carbon Black Cloud as of the time of the Event; differences between this and effective reputation indicate the Sensor did not have this reputation at the time of the Event |
Parent effective reputation Process effective reputation Target effective reputation | Reputation the Sensor had in memory at the time of the Event, and which was used in making Policy Action decisions |
Parent effective reputation source Process effective reputation source Target effective reputation source |
- Approved Database (was white database): Sensor applied the Predictive Security Cloud (PSC) Whitelist Database
- AV (was AV scan): Reputation came from Local Scanner (Windows only)
- Cloud: Reputation came from Carbon Black Cloud
- Cert (was cert whitelisting/approval): Reputation came from Cert Approval, resulting in LOCAL_APPROVED_LIST reputation
- Hash Rep (was hash reputation list): Reputation came from Company Approval/Banning (was Whitelist/Blacklist)
- Ignore: Reputation assigned to VMware Carbon Black files
- IT tools: Reputation came from IT Tools Approval, resulting in LOCAL_APPROVED_LIST reputation
- Pre-existing: Reputation came from being identified as a "Pre-existing" file (typically via Background Scan), resulting in LOCAL_APPROVED_LIST reputation
|
Related Content