top of page
Search

Carbon Black (P3:Investigate): A Practical Guide/An Practical Training

  • Aug 1
  • 3 min read

ree

The Investigate feature in Carbon Black is a powerful tool that allows you to perform deep searches, analyze details, and hunt for suspicious activities across your environment. It’s like a forensic magnifying glass, enabling SOC analysts to dig into both failed and successful operations performed by applications and processes on endpoints.


While I won’t dive into a full analysis tutorial here, this is an overview of how the feature works and why it’s so useful. Let’s break it down.


------------------------------------------------------------------------------------------------------------


Overview of the Investigate Page

When you open the Investigate page (screenshot provided below), you’ll notice its similarity to SentinelOne’s timeline feature.

ree

  1. Filters on the Left: These allow you to refine your search.

  2. Search Bar: Positioned at the top, you can run queries tailored to your investigation needs.

  3. Search Guide: Found at the top-right, this embedded guide assists you in crafting advanced queries.


Carbon Black markets this feature as a way to analyze every observation stored in the cloud, allowing you to:


  • Identify failed or successful operations.

  • Collect and act on data from your search results.

  • Use advanced search techniques for detailed visibility into events, processes, and observations.


------------------------------------------------------------------------------------------------------------


How to Use Investigate: A Basic Example

Let’s revisit a scenario from a previous article: you’ve created a rule to block wmiprvse.exe when invoked by cscript.exe.

ree

Now you want to investigate.


  1. Run a Simple Query:

process_name:cscript.exe

  • This query fetches all processes matching the name cscript.exe.

  • Below the search bar, you’ll find three tabs:

    • Observations

    • Processes

    • Auth Events


------------------------------------------------------------------------------------------------------------

The Observations Tab


The Observations Tab provides a list of all interesting activities in your environment that didn’t necessarily trigger an alert.

Use Case:

  • You detected a suspicious file and want to hunt for related activity.

  • Observations allow you to search for processes, registry modifications, or other actions tied to the file.


Filters on the Left: These can be used to narrow your hunt and pinpoint specific activities.

ree

Action Tab: Clicking on the graph-like structure (Process Analysis) lets you investigate further.

Example Query for Hunting:


alert_category:THREAT OR sensor_action:DENY OR ttp:FILELESS

This expands your search scope, focusing on threats, denied actions, or fileless attacks.

------------------------------------------------------------------------------------------------------------


The Processes Tab

The Processes Tab gives details of all processes that ran in your environment based on your query.

ree

Example:

fileless_scriptload_cmdline:.ps1

This query filters for PowerShell script (.ps1) executions. The output lists processes tied to such executions, enabling you to spot any malicious activity.


------------------------------------------------------------------------------------------------------------

The Auth Events Tab

This is one of the standout features of Carbon Black.

The Auth Events Tab provides detailed insights into Windows authentication events, supplementing process activity logs.


What You Can Investigate:

  • Who logged in to an endpoint during suspicious activity.

  • Failed login attempts and brute-force attacks.

  • Privilege escalation attempts and lateral movement.

  • Remote logins from anomalous sources.

  • Insider threats or use of stolen credentials.


Why It’s Valuable:

SOC analysts gain critical context during threat hunting and incident response. Carbon Black’s ability to correlate authentication events with process activity reduces response times and minimizes reliance on third-party tools.


Example Search:

  • Failed Login Attempts on a Specific Endpoint: (With Search/Filter)

ree

  • Remote Logins:(With Search/Filter)

ree

------------------------------------------------------------------------------------------------------------

Why I’m a Fan of This Feature

Carbon Black’s Investigate tool offers simplicity and depth, eliminating the need to manually sift through logs. You can:

  • Quickly search for anomalies.

  • Export details for reporting.

  • Investigate further with ease.


Real-World Benefits:
The seamless integration of authentication data with process analysis enhances visibility, making it easier to detect and respond to threats like lateral movement, privilege escalation, or brute-force attacks.

------------------------------------------------------------------------------------------------------------

Stay tuned for the next article!Until then,
keep learning and growing. See you soon! 😊

Upcoming article : Carbon Black (P4:Enforce): A Practical Guide/An Practical Training

----------------------------------------------Dean-------------------------------------------------

 
 
 

Comments

bottom of page