top of page
Search

Carbon Black (P5:Inventory): A Practical Guide/An Practical Training

  • Aug 5
  • 4 min read
ree

The Feature Inventory in Carbon Black Cloud is an essential tool that helps administrators and security professionals manage and investigate their endpoint security posture effectively. Let’s dive into its key components, starting with the Endpoints tab, and explore the features and capabilities it provides.

ree

Endpoints Tab

The Endpoints tab is your starting point for managing and investigating endpoints in your environment. Below is an overview of its layout and functionality:

ree

  • Filters for Investigation On the left-hand side of the tab, you’ll find several filters that simplify endpoint investigations. These filters include:


    • Sensor Status: Displays whether sensors are active, inactive, or in an error state.

    • Operating System (OS): Allows you to filter endpoints by their operating system.

    • Sensor Version: Helps identify which version of the Carbon Black sensor is installed.

    • Other Metadata Filters: These include options for grouping endpoints by their organizational unit, IP range, or other custom tags.


    Each filter is self-explanatory and designed to make pinpointing specific endpoints quick and efficient.


  • Top-Right Controls At the top-right corner of the screen, you’ll find two key options:


    • Sensor Options The Sensor Options menu provides several actions to manage sensors:

      ree

      • Manage Sensor Settings: Enables deletion of unused sensors.

        ree

      • View Company Code: Displays the company code required during sensor installation.

      • Download Sensor Kit: Offers the installation package for the sensor.

      • Send Installation Request: Allows you to email installation instructions by entering the recipient’s details.

        ree

    Add Group: The Add Group feature helps you dynamically assign sensors to specific groups based on predefined criteria:

    • ree

  • Sensors matching all criteria for a group are added automatically.

  • If a sensor does not match any group’s criteria, it is assigned to the default Standard policy.

  • Group assignments are dynamic and will change if a sensor no longer meets the criteria for its current group.

  • You can define group criteria using “AND” or “OR” conditions, offering flexibility in your configurations.


    Note: Sensors can belong to only one group at a time. If multiple groups match, the sensor is assigned to the group with the highest priority.



Sensor Update Status

Adjacent to the Endpoints tab, you’ll find the Sensor Update Status section. This feature displays:

ree

  • Sensor versions installed across your environment.

  • Details of sensors requiring updates or showing errors


-------------------------------------------------------------------------------------------------------------


Live Example: Viewing Sensor Details

When sensors are available, you’ll see details organized by status. Filters such as Sensor Status or Signature Status provide critical insights:

ree

  • Sensor Status: Carbon Black provides detailed statuses for sensors, including connectivity and operational health. For example:

    ree

    • Active: Sensors reporting data and functioning correctly.

    • Inactive: Sensors not reporting or disabled.

    • Error: Sensors with connectivity or configuration issues.

      ree


    Signature Status:

    The Sig column in the interface indicates the status of sensor signatures:

    ree



Signature version status

  • Circle: Signatures are up to date (released within the last 7 days).

    ree

  • Triangle: Signatures are outdated (older than 7 days).

    ree

  • Square: Signatures are unreported or unidentifiable, possibly due to local scan configuration issues or connectivity errors.

    ree

These visual indicators make it easy to assess and prioritize updates or troubleshooting efforts.


Sensor update status:

ree


Actions on Endpoints

When managing endpoints in Carbon Black Cloud, you can take the following actions:

ree

  1. Add to Asset Groups

    • Add selected endpoints to specified asset groups (if you’re using this feature).

  2. Remove from Asset Groups

    • Remove endpoints from specific asset groups.

  3. Assign Policy

    • Assign a prevention policy to determine sensor behavior.

  4. Update Sensors

    • Update the sensor version on selected endpoints.

  5. Start Background Scan

    • Initiate a one-time inventory scan to identify pre-existing malware.

    • If the controlling policy includes background scan settings, the scan type (standard or expedited) will follow that policy. Otherwise, the default is a standard scan.

  6. Pause Background Scan

    • Temporarily stop the background scan. It will restart when the service or endpoint restarts.

  7. Enable/Disable Bypass

    • Enable bypass: Temporarily disable policy enforcement on the endpoint.

    • Disable bypass: Reinstate policy enforcement.

  8. Quarantine/Unquarantine Assets

    • Quarantine an endpoint to limit its outbound traffic and block inbound traffic.

    • Release an endpoint from quarantine when it is no longer a threat.

  9. Uninstall Sensors

    • Remove macOS and Windows sensors. After removal, the sensor will appear as deregistered until deleted.

  10. Delete Deregistered Assets

    • Fully remove a sensor from the Carbon Black Cloud console.

  11. Disable Live Response

    • Disable Live Response for remote investigations and remediation. Re-enabling it requires sensor reinstallation.

  12. Query Assets

    • Run SQL queries against endpoints to gather specific information.

  13. Manage Sensor Gateway Connection

    • Control whether endpoints communicate directly with Carbon Black Cloud or through a Sensor Gateway.



Investigate and Go Live: Threat Hunting and Commands

Each endpoint provides several options for deeper investigation. Below are some key features:

ree

Investigate

This is your go-to option for threat hunting. If you want detailed steps on this, check out our article below

Mention Link:



Go Live

ree

The "Go Live" option allows you to run live commands on an endpoint. These commands can be invaluable during an active investigation.

ree

Query Asset

ree

Last Option (Prebuilt queries)

ree


USB Devices Management

Under the "USB Devices" tab, you can monitor connected USB devices. The filters and options available here are self-explanatory, as shown in the screenshot below (see attachment).


ree

However, you might wonder, how do I block USB devices?

The answer lies in creating a policy. When setting up a policy (as detailed in this article), you can include rules for blocking USB devices.

ree

Once a device is blocked, you will see an option to approve or reject it directly under the "USB Devices" tab.

ree

Example Scenario:

  1. A USB device is blocked by policy.

  2. Navigate to the "USB Devices" tab to see the blocked device.

  3. Approve the device if needed, or leave it blocked.


ree


Sensor Groups

ree

We’ve discussed sensor groups earlier. For more details, refer to the "Actions on Endpoints" section above. Sensor groups are an efficient way to manage multiple endpoints with similar configurations or policies.



Conclusion

By understanding these features, you can take full advantage of Carbon Black Cloud for endpoint management, threat hunting, and USB device control. Use the tools wisely to enhance your organization's cybersecurity posture.


Keep experimenting with these settings, and don’t hesitate to tweak configurations based on your organization's needs. I’ll leave you here for now, but stay tuned for my next guide—there’s always more to learn!

Upcoming Article: Carbon Black (P6:Settings): A Practical Guide/An Practical Training

 
 
 

Comments

bottom of page