Search Results

Cybercriminals are always evolving, and so are their tactics. One particularly sneaky method that’s been gaining ground over the years is fast-flux DNS  — a trick that makes it extremely difficult to block malicious infrastructure or shut down campaigns. If you’ve ever wondered how malware manages to keep its command-and-control (C2) servers hidden in plain sight, fast-flux might just be the answer. What Is Fast-Flux DNS? At its core, fast-flux DNS  is a clever way for attackers to hide the real  location of their C2 servers. Instead of pointing a domain to a fixed IP, the DNS records (specifically the “A” records) rotate rapidly — sometimes every few minutes. Here’s how it works: The DNS record for a malicious domain doesn’t return one fixed IP. Instead, it returns a list of IP addresses , each belonging to a compromised machine  acting as a proxy. These machines forward the traffic to the actual C2 server, which remains hidden. The attackers also configure the TTL (time to live)  of the DNS records to be really low — usually less than 5 minutes — ensuring that the IP list keeps changing constantly. This means defenders can’t just block a static list of IPs or domains — because they’re outdated almost instantly. Why It's So Hard to Block Let’s say you identify a C2 domain being used in an attack. Blocking its IP address seems like a logical next step, right? Not so fast. Because the IPs tied to that domain change so rapidly — and are spread across hundreds or thousands of compromised devices — any blacklist is outdated by the time it’s implemented. This dynamic structure makes fast-flux highly resilient  and frustratingly evasive . Enter Double-Flux: Fast-Flux, But Worse If fast-flux is bad, double-flux  is worse. In a double-flux setup: The A records  (the IPs for the C2 domain) rotate, as before. But now, even the NS records  (which tell you which name servers to ask) are part of the rotation — and they too are compromised systems. So now, not only are the C2 proxies changing, but the DNS infrastructure itself is also constantly shifting. This adds another layer of obfuscation that protects the true source of control even further. So… Can We Defend Against This? Yes — but it’s a little more involved. Sinkhole known malicious domains: DNS admins can seize control of known bad domains by overriding the DNS resolution locally, stopping any resolution at the enterprise level. Use your DNS logs wisely: Logging DNS queries gives investigators powerful insights — who queried what, and when. It can help identify infected machines fast. Threat hunting with patterns: While fast-flux is tricky to prevent outright, it leaves patterns  in DNS traffic that can be used for detection and investigation. Detecting Fast-Flux: What to Look For Fast-flux DNS behavior has a few tell-tale signs . They aren’t foolproof — some legitimate services use similar methods for load balancing or geo-routing — but they can guide your threat hunting efforts. 1. Very low TTL values Fast-flux domains tend to have TTLs set to less than 5 minutes — the lower, the better (for them). That’s because they want the records to expire quickly, forcing frequent updates. Wireshark Display Filter: dns.resp.ttl < 300 2. Lots of IP addresses in responses Malicious domains in fast-flux networks often return many IPs in a single DNS response  — usually a dozen or more. This reflects the many compromised systems being used as proxies. Wireshark Display Filter: dns.count.answers > 12 (⚠️ Caution: This also happens in CDNs and load-balanced environments, so it’s not always malicious.) 3. Look for anomalies in your baseline The best method? Compare new DNS traffic to what’s normal in your environment. If a domain suddenly starts behaving in wildly abnormal ways — like resolving to 15 different IPs every few minutes — that’s a red flag. Final Thoughts Fast-flux DNS is a brilliant — and diabolical — tactic that makes life difficult for defenders. It’s built for resilience , evasion , and survivability , and when combined with double-flux and DGAs, it’s a nightmare cocktail. But with the right DNS logging setup, a solid baseline of what’s “normal,” and clever detection techniques, you can still track down infections and limit their impact. ---------------------------------------------Dean-------------------------------------------------

When we think about forensic investigations and threat hunting, DNS isn’t usually the first thing that pops into our minds. But if you dig a little deeper, you'll realize that DNS is often one of the most powerful sources of evidence  in any investigation. In fact, DNS logs are like a pulse check on your entire network. They silently record who's talking to who, when, and how — across nearly every protocol in use. Why DNS Matters So Much Attackers don’t walk through the front door shouting. They sneak around the back — and often, that backdoor is DNS. It’s used in everything from phishing and command-and-control (C2) infrastructure to data exfiltration. But here’s the thing: most networks don’t treat DNS seriously enough . They treat it as just another service, not a security tool. Imagine this: An attacker sets up a C2 domain and points it to 127.0.0.1 (localhost) most of the time to avoid suspicion. Then, when it’s time to activate implants, they change the DNS record to the actual IP. If you’re only logging queries and not responses, you miss that switch entirely. Good DNS Setup = Better Security If you're serious about DNS from a security perspective, there are a few best practices: ✅ Use internal DNS servers : Set up a small number of DNS servers inside  your network perimeter. 🔒 Lock down external DNS access : Clients should only  be allowed to query internal DNS servers — not open resolvers on the internet. 🌐 Use DHCP for DNS assignment : Keep it simple and consistent. 🚫 Block direct DNS access from clients to the internet : Use your firewall to enforce this. This configuration not only improves performance and reliability but also gives you a centralized choke point  for visibility. The Problem with Traditional DNS Logging Most DNS servers allow query logging , which is a good start — but here’s the catch: They don’t log the responses. That’s a big blind spot. It’s like watching only one side of a conversation. For investigators, this means missing out on crucial clues — like what IP a domain resolved to at a specific moment. And forget about using that data to spot malicious infrastructure that constantly changes — you'll be flying blind. Enter PassiveDNS Monitoring If you really want visibility, go passive . Passive DNS monitoring tools listen to DNS traffic and log both queries and  responses . One fantastic open-source option is Edward Fjellskål’s tool called PassiveDNS . It’s lightweight, fast, and versatile. You can: Run it live to monitor traffic as it happens (great for SIEM integration), Or process DNS traffic from pcap files during postmortem analysis. It can write logs directly or send them via syslog — which means it plays nicely with most log aggregators and SIEM platforms. 🧪 Practical Example: PassiveDNS in Action Let’s say you have a massive pcap file and you want to quickly zero in on DNS activity. PassiveDNS can do the job in no time: ( https://github.com/gamelinux/passivedns ) Installing PassiveDNS on Ubuntu, especially when running under Windows Subsystem for Linux (WSL), can be a bit challengin g. You might encounter several errors along the way due to the differences between a native Linux environment and WSL. However, you don’t have to worry you can reach out to me directly though email or using chat section, I will help immediately . Below is the official installation process for PassiveDNS on Ubuntu, as per the project documentation: $ sudo apt-get install git-core binutils-dev libldns1 libldns-dev libpcap-dev # libdate-simple-perl is also needed for pdns2db.pl $ git clone git:// github.com/gamelinux/passivedns.git $ cd passivedns/ $ autoreconf --install $ ./configure $ make O nce installation is done you have a pcap file and  you want to quickly zero in on DNS activity. sudo passivedns -r dns.pcapng -l ./passivedns.txt -L ./passivedns_nxdomain.txt This gives you two clean log files: One with all successful DNS resolutions One for those NXDOMAIN (nonexistent domain) queries — often a sign of malware trying to resolve C2 domains that don’t exist (yet) Output : And if you're live monitoring from a network tap: passivedns -i eth0 -D -y -Y This runs the tool as a background process, sending real-time logs (including failed lookups) straight to your syslog server. Final Thoughts If you’re skipping DNS logs in your investigations, you’re likely missing a massive part of the story. DNS isn’t just a boring infrastructure protocol — it’s a map of where your network traffic is going , and often a warning sign of where threats are coming from. So, whether you're hunting threats or digging through a breach, don’t underestimate DNS. It’s not just technical plumbing — it’s a forensic goldmine. --------------------------------------------Dean------------------------------------------------------

Let’s be real— dealing with hundreds (sometimes thousands) of user-reported phishing emails every day can be a nightmare for security teams . You’ve got analysts drowning in emails, managers worrying about response time, and users clicking “report” like it’s a game . That’s where ASA (Autonomous Security Analyst)  from Sublime Security swoops in like a superhero 🦸‍♂️—only smarter, faster, and it doesn’t need coffee breaks. So, What Exactly is ASA? Think of ASA as your virtual security analyst . It’s an AI-powered automation tool that investigates those user-reported emails that land in your abuse mailbox . It looks at everything, makes decisions, and gives you a neat little report so your real human analysts don’t burn out staring at spam all day. When someone reports a suspicious email, ASA jumps into action automatically —no need to press a button. It does the full analysis and tells you exactly what it thinks: is the message malicious, spam, graymail, totally fine (benign), or something it’s not sure about (unknown)? 🔍 What Does ASA Actually Do ? Here’s what makes ASA such a gem: Checks files and links for malware  🧨 Looks at logos and visual content  for phishing tricks 🕵️ Investigates the sender  to see if they’ve caused trouble before 📬 Points out misclassifications  or weird behaviors in the email 🤔 It does everything a human analyst would do—just way faster. 🛠️ How Do You Use ASA? If you're using Sublime Security in an Enterprise setup  and already have your abuse mailbox configured , it’s super easy. All you need to do is turn on the Automation  called “Send user reports to ASA” . That’s it. ASA is now your new team member. 🌍 Where Does ASA Live? Right now, ASA runs either in: Sublime’s cloud environment (SaaS) Or your own AWS cloud (self-hosted) Currently supported AWS regions include: 🇺🇸 Virginia | Oregon | Ohio🇪🇺 Dublin🇬🇧 London 🧑‍💼 ASA Has Two Personalities (a.k.a. Modes) 1. Passive Mode  – “The Analyst Buddy” ASA analyzes emails and gives you all the info, but it doesn’t take any action. You (or your team) still make the final call. Great if you want control, but still want a huge head start on the analysis. 2. Active Mode  – “The Autonomous Agent” ASA goes full robot mode 🤖—it analyzes, makes decisions, and takes actions  like: Quarantining bad stuff Moving spam to the junk folder Dismissing false positives Escalating uncertain stuff to a human analyst This is perfect when you need 24/7 automated help—especially when your team’s off the clock. 🗂️ ASA Verdicts: What Does It Call the Messages? ASA can label emails as: Malicious  – Dangerous! Spam  – Junk it. Graymail  – Meh, promotional or boring stuff. Benign  – Totally safe. Unknown  – Needs a human eye. For each verdict, you can set what ASA should do: quarantine, trash, move to spam, or just add a warning banner. 📋 ASA Reports: What Do You Get? ASA doesn’t just say “Spam” and walk away. It gives you a full breakdown , including: A one-liner summary  with verdict, user reports, and message actions An Executive Summary  with the juicy details A full attack chain  (if malicious) Deep-dive into the sender, content, attachments, links, and why ASA decided what it did Honestly, it’s like a mini threat intel report for every message. ------------------------------------------------------------------------------------- Before ending this article and after this one last left which is very interesting article!.. Let me show you last tab called admin Alright, so we’ve explored Sublime’s amazing features—from automations and verdicts to ASA doing the heavy lifting . But before we wrap this up, let’s quickly peek behind the curtain into the Admin tab —the place where the real control lives. It might not be the flashiest part of Sublime, but it’s where the magic of setup, permissions, and policies happens. Let’s break it down, no jargon—just straight talk. 😎 👥 Roles & Permissions Sublime comes with predefined roles  to help you manage who can do what: Admin  – Has full control. (79/79 permissions) Analyst  – Has what they need for investigations. (28 permissions) Engineer  – Somewhere in between. (47 permissions) 🧑‍🔧 Want more flexibility? If you're an Admin, you can create your own roles  and fine-tune permissions for users based on your team’s needs. 🗃️ Message Retention Settings You don’t want to keep every  email forever—but you do want to keep the important  ones long enough for investigations. Here’s what you can manage: Raw EML (Unflagged) : Pick how long to keep emails that weren’t flagged or reported. After this period, the message metadata stays, but body, links, screenshots, etc. are gone. Raw EML (Flagged/User-Reported) : These stick around longer. Same deal—pick the retention time. MDM Retention : MDMs (Message Data Models) are kept for up to 30 days or whatever your unflagged EML retention is (whichever is shorter). Think of this as your time machine settings—how far back in time can you go to re-analyze or investigate emails? 🔐 Authentication & Security Hook Sublime into your SSO  provider of choice: Okta ✅ Azure AD ✅ OneLogin ✅ Or any OpenID Connect or SAML  provider Also: You can control how people view message contents  (opt-in for extra control) And even set an IP Allow List  so that only approved IPs can access the Sublime dashboard or API. Very enterprise. Very secure. Abuse Mailbox – The Front Door for Phishing Reports If your users forward suspicious emails, this is where Sublime catches them . Set up your abuse mailbox (up to 5 addresses), and Sublime will: Grab the original message  that was reported (using smart headers, attachments, or references) Group messages  from the same attack together Skip duplicates  so your team isn’t doing the same thing twice It’s like a smart inbox that’s built for security teams. And yes—you can use a user mailbox , a distribution list , or a Google Group . Just make sure at least one subscriber gets all the mail. 📝 Audit Logs – Because Receipts Matter Need to know who did what and when? Sublime’s Audit Log  keeps track of: Message actions Rule changes Logins Pretty much everything Perfect for compliance or when someone swears “they didn’t touch it.” ✉️ Adding Message Sources You can connect Sublime to: Microsoft 365 Google Workspace IMAP accounts Each source gives Sublime access to ingest messages from your environment. 👉 Here’s how to add message sources 📫 Mailboxes Tab This one’s simple: it lists all mailboxes  connected to your Sublime environment—so you always know what you’re monitoring. ------------------------------------------------------------------------------------- 🎯 Final Thoughts ASA is like that one intern who learns fast, works 24/7, and doesn’t need supervision. Whether you want full control or full automation, ASA can slot into your team and start saving time and catching threats instantly . It’s where you lay the foundation—so the cool stuff (like ASA) can do its thing without chaos. And there you go. That’s Sublime Security’s Admin tab , decoded in plain English. -----------------------------------Dean------------------------------------------- Upcoming Article: (Last Article): The Final Piece: Hunting, Searching, and Analyzing Like a Pro in Sublime EDR for Email https://www.cyberengage.org/post/the-final-piece-hunting-searching-and-analyzing-like-a-pro-in-sublime-edr-for-email -------------------------------------------------------------------------------------

Alright folks, I’ve saved the best for last . If you’ve ever worked with a traditional EDR (Endpoint Detection & Response) tool, you know what it gives you—file analysis, threat hunting, quick search, incident review, all that juicy stuff, right? Now, imagine doing all of that—but for email . Yes, you heard me right. Welcome to the world of Sublime EDR for Email.  📬⚡ This isn’t your boring "filter spam and move on" solution. This is real EDR-level capability  in your email environment. Let's break it down, in the chill, easy way we always do. If this catches on, I might even write another post just about custom detection rules 👀. 🔍 First Stop: Search Let’s start simple. Sublime gives you powerful search capabilities . You want to know: How many people got an email  from a shady sender? Did this subject line go to more than one user? How many people received this one specific message? Just type it in and boom—you’ve got results. Example1: Example2: No complex query language needed. Use sender email, subject line, message ID—whatever you have. It’s straightforward , and honestly kinda fun once you get the hang of it. 🧨 The Coolest Part: Hunting Now THIS is my favorite part. This is where you put on your digital detective hat 🕵️. So, what’s hunting in Sublime? It's where you search across your entire email environment  for stuff like: Suspicious attachments Authentication failures (like DMARC/ SPF/ DKIM mismatches) Weird domains Signs of phishing or malware delivery Anything that looks off! This feature is driven by something called MQL (Message Query Language) —don’t worry, it sounds more complicated than it is. If you’ve ever used something like YARA, Sigma, or even basic Python filters, you’ll feel right at home. And the best part? 💻 Meet the MQL Editor – Built for You The MQL Editor  is like working in VS Code, but specifically for email detection rules. It’s smart, fast, and gives you all the help you need while you write: Autocomplete Live error checking Function & field tips Debugging and test support You can upload a real .eml file and test your rule instantly . If it works, you’ll see a ✅. If not, it’ll give you a ❗ and highlight what didn’t match. 🔍 There’s even a feature that shows the intermediate results of each function —so you’re not just guessing what went wrong. Got logic errors like mixing up AND vs OR, or forgetting a bracket? It’ll warn you gently but won’t block you. Super useful. If you’re ever stuck, just hit Ctrl + Space to see all possible fields and functions. Sublime’s got your back. Example1 : You can make query more intense i am keeping it simple Example2 : Example3: 📁 Email Analyzer – The Cherry on Top And now, the final boss  of this EDR setup: the EML Analyzer . Upload any .eml file (yes, the actual raw email file), and Sublime will: Analyze it using its ML engine 🤖 Break it down line by line Show you headers, links, attachments, logos, domains—you name it It’s like having your own little sandbox to inspect suspicious messages without needing a full SIEM or EDR setup . Perfect for analysts, incident responders, or even curious defenders who want to dig into how phishing emails really work. ------------------------------------------------------------------------------------------------------------- 🏁 Wrapping Up: That’s a (Sublime) Wrap! That’s it! 🎉 This was the final piece of the Sublime EDR series, and honestly—I had a blast sharing this with you all. Sublime isn’t just another “email security tool.” It’s a full-blown email EDR , and it gives you the power to: ✅ Investigate ✅ Hunt ✅ Remediate ✅ Automate ✅ Analyze...and do it faster than ever . 🙌 Final Words If you enjoyed this journey and want to go deeper (like how to write powerful MQL detection rules, or threat hunting workflows), hit me up! 💬 Also, if you're curious about how to get started with Sublime, or even want to join one of the best security companies out there —reach out to me. I’ll point you in the right direction and tell you why they’re truly next-level . Thanks again for sticking with me through this series—I’ll catch you in the next article, where we’ll dive into even more cool cybersecurity tools and concepts! Until then, stay safe, stay curious. 👋

While Detection Rules and Automations are at the heart of Sublime Security's threat detection and response, the platform is packed with additional tools and capabilities  that make it even more powerful, customizable, and community-driven. Here are a few advanced features every security team should explore. 🧠 Git-Backed Rule Feeds Stay Updated, Stay Ahead Sublime supports Git-backed rule feeds that allow you to receive continuous updates from the Sublime team and the broader security community. Sublime Rules Feed  is included by default and maintained by the Sublime team. You can add custom feeds  from GitHub, GitLab, or Bitbucket—perfect for managing and sharing detection rules across teams or community groups. To manage feeds, just head to the Feeds  section in your dashboard and click New Feed . 🔗 Pro Tip:  Community collaboration makes rule evolution much faster. Embrace it. 🗂 Lists Dynamic Sets for Smarter Matching Sublime supports the use of named lists —these are reusable sets of data (like domains, email addresses, or file hashes) you can reference within your detection logic using MQL. All list names start with $ (e.g., $org_vips, $blocked_domains) You can create your own lists or use the built-in ones provided by Sublime. Lists simplify rule maintenance and improve readability. 📖 Learn more about Lists → 🚫 Exclusions Cut Out the Noise Exclusions are used to suppress alerts on known benign messages (like phishing simulations or internal test emails). They're evaluated before  rules or automations trigger. There are three types of exclusions : Global Exclusion  – Message is skipped from all  rules and automations Detection Rule Exclusion  – Message bypasses detection rules, but still hits automations Rule-Specific Exclusion  – Blocks a specific rule from matching a sender, domain, or recipient Sublime ships with built-in global exclusions for vendors like Cofense, KnowBe4, and Hoxhunt —inactive by default, but available if needed. ✅ Use exclusions strategically to reduce alert fatigue and fine-tune precision. ⚙️ Actions: How You Enforce Responses Actions are what you want to do  when something is detected. You can apply actions manually or automatically through Rules and Automations. Here are two key ones: 🛑 Quarantine (Enterprise) Makes the email inaccessible to end users In Microsoft 365 , the message goes to “Recoverable Items Purges” In Google Workspace , it's deleted from the user's inbox but retrievable by Sublime admins 📌 To add quarantine: Open a Rule or Automation Click "Edit" Under Actions, choose Quarantine Save 📬 Move to Spam (Core + Enterprise) Moves suspicious messages to the Spam/Junk folder Good for messages that are unwanted but not outright malicious Often paired with Warning Banners  for extra visibility 📌 To use Move to Spam: Open your Rule or Automation Click "Edit" Select Move to Spam  under Actions Save ✨ Final Thoughts These extra features may seem small, but they can supercharge your email security operations  when used properly: Feed integrations keep your detections fresh Lists and Exclusions fine-tune your logic Actions like Quarantine and Move to Spam help automate response And Git-based feeds make Sublime feel like a true DevSecOps-native platform Let the platform do the heavy lifting— you focus on what matters most. ---------------------------------------------------Dean-------------------------------------------------- Upcoming Article: Meet ASA: Your New AI-Powered Security Teammate from Sublime Security https://www.cyberengage.org/post/meet-asa-your-new-ai-powered-security-teammate-from-sublime-security ----------------------------------------------------------------------------------------------------------

In our previous articles , we talked about how Sublime Security’s Detection Rules  can be configured to automatically perform actions like auto-quarantining or triggering a review . But what if you want more control—or prefer separating detection from remediation workflows? That’s where Automations  come into play. 🚀 What Are Automations? Automations  are logic-based workflows in Sublime Security that focus on triaging  and responding  to email threats, especially those flagged by detection rules or reported by users. Think of Automations as your response engine —while Detection Rules identify the problem, Automations decide what to do with it. You can configure Automations to: 🛡 Auto-quarantine emails with a “Malicious” verdict 📛 Trash phishing messages or apply visual warning banners 📣 Alert when VIPs receive suspicious emails 👥 Take action when a certain number of users report the same message 🧵 Quarantine an entire campaign based on multiple detection triggers 🧠 How Do Automations Work? Automations are built on MQL (Message Query Language) —the same language used by Detection Rules. They trigger based on: A message being reported by a user A Detection Rule flagging a message Or both Once triggered, Automations can take two types of actions : ✅ Active Response : Auto-quarantine, trash, or apply a banner 👀 Passive Mode : Only generate alerts (e.g., webhooks, dashboard signals) without taking action This makes it super flexible—test in passive mode, then flip the switch when you're ready to go live. ⚙️ Active vs Passive Mode Sublime gives you fine-grained control with Active and Passive Modes : Mode Description Active Takes immediate action (e.g., quarantine, trash) Passive Only generates alerts—ideal for testing and tuning You can even toggle between them easily as you fine-tune your playbooks. 📦 Core Feed of Automations Just like Detection Rules, Sublime Security ships with a Core Feed  of recommended Automations: They’re inactive by default You can activate them in Active or Passive Mode They're designed to respond to common threat patterns , saving you time and effort These prebuilt workflows give you a solid foundation to build upon or customize for your unique threat landscape. 🔌 Bonus: API Integrations for Power Users Sublime Security also offers a powerful REST API , which lets you: 🧼 Trash or quarantine messages directly from your SOAR 🔍 Update blocklists with IOCs from your threat intel feeds 📎 Enrich JIRA, ServiceNow, or Slack alerts with email metadata The API uses standard HTTP verbs, JSON payloads, and predictable URLs. You’ll find your exact Base URL  under Automate > API  in the Sublime dashboard. 🎯 Final Thoughts Automations in Sublime Security are powerful , flexible , and designed to reduce analyst fatigue . Whether you want fully hands-off auto-remediation or prefer a passive alerting model, Automations help you tailor the perfect response strategy. Let Sublime handle the triage. You stay in control. -------------------------------------------Dean------------------------------------------------------------- Upcoming article: Beyond Detection: Hidden Power Features of Sublime Security https://www.cyberengage.org/post/beyond-detection-hidden-power-features-of-sublime-security ------------------------------------------------------------------------------------------------------------

Okay, so in this tab, we’re going to explore one of my favorite features of Sublime Security — Detection Rules , also known as your email detection posture . This is where things get really cool, especially if you love having visibility AND control over what happens in your email ecosystem. So, here's the deal — Sublime Security puts everything online on GitHub . https://github.com/sublime-security/sublime-rules Yep, it’s all open-source. You can: Write your own rules, Use existing community rules, Customize anything you like. No walled gardens, no black boxes. Just raw detection power at your fingertips. 🧠 How the Rules Are Organized The Detection Rules tab is the place where all the action starts. And trust me — they’ve done a neat job organizing everything. The rules are split into two main categories : 1. Attack Types Think of these like the “what is the attacker trying to do?”  side of things . Each type reflects the attacker’s primary goal — whether it's phishing for creds, spreading malware, or just trying to socially engineer someone into transferring funds. Here are some examples: BEC/Fraud  – Business Email Compromise. These are those sneaky emails where someone pretends to be your CEO, a vendor, or someone else important, trying to get you to send money or share sensitive info. No malware, no malicious links — just pure social engineering. Callback Phishing  – This one’s clever. The attacker tricks you into calling  a phone number. From there, it’s game over. They might lead you to malware, steal data, or worse. Credential Phishing  – This one’s classic. Think fake Microsoft login pages, Google Docs prompts, etc. — all designed to steal your usernames and passwords. Extortion  – Like the old "we’ve got your data, now pay us" scenario. Malware/Ransomware  – Where attachments or links lead to malware payloads. Reconnaissance  – This is like the attacker dipping their toe in to see if your email system bites back. They’re testing spam filters, checking which emails land in inboxes, and mapping targets before launching the real deal. Spam  – Not all spam is evil, but it’s annoying and sometimes a smokescreen for worse things. 2. Tactics and Techniques This section dives into how  the attackers are doing what they’re doing . You get insight into the tools and tricks used to evade detection. Some cool examples: Encryption  – Emails that are encrypted just enough to sneak past scanners. Evasion  – Tactics like obfuscation, spoofing headers, hiding links in weird places. Free Email Providers  – Attackers love using Gmail and Outlook to look “normal.” Free File Hosts  – Dropbox and Google Drive links aren’t always innocent. HTML Smuggling  – A technique where malware is hidden inside HTML files. ... and the list goes on. 🛠 Why I Absolutely LOVE This Now, you might ask — “Dean, why are you geeking out over this?” Let me tell you why: Sublime lets you apply actions per category or even per rule . That’s right. You’re not locked into a single response for every kind of threat. ( There is better method as well, we will discuss in next article :- automation, but yeah this ability also given by sublime, you have to make choice what you are going to choose) For example: You’ve got 74 BEC/Fraud rules . (Kept increasing or you can add your as well) And 35 Spam rules . Let’s say: For all BEC/Fraud  emails → you want them to be auto-quarantined  or Auto-review ( malicious .) Before Applying any action: Let apply action: After Applying action: But for Spam  → maybe you just want to move it to the spam folder  and add a warning banner . --------------------------------------------------------------------------------------------------------- One thing keep in mind which is Lets suppose the one rule which was under BEC fraud might come under SPAM as well, So don't get confused or worried: Now you will ask question Dean, than how the action will work remember the Hierarchy i told you! If multiple rules try to classify the same message, the platform uses this order of priority: Simulation > Benign > Malicious > Spam > Graymail if one rule tags it as Simulation and another as Malicious, Simulation  wins. ------------------------------------------------------------------------------------------------------- You can set different actions per type. That flexibility? HUGE. And yes — you can mix and match: Set a warning banner   plus  move to spam. Or trigger user reporting . Or simply alert only , if you want to monitor before acting. This level of control is something most EDRs or email gateways charge a premium for — Sublime gives it right out of the box. 📈 What’s Rule Effectiveness? So there's this nifty section called Rule Effectiveness . Basically, it gives you insight into how well your detection rules are working. Key points: It only shows data from live-processed  emails. So your test emails or old logs won’t count. You can see: Who created or last updated the rule, How many emails were flagged, What actions assigned to rule, How many reviewed. It’s perfect for fine-tuning your rules, especially if you want to weed out false positives or catch things your current posture misses. ⚠️ One Thing to Remember By default, all rules are alert-only when you enable them . So no actions will be taken until you  define them. That’s kind of a good thing because it gives you time to understand how your rules behave. you can assign actions . : Quarantine, Add warning banners, Enable user reports, Auto-delete (if you dare), Or just monitor. Totally your call. 🧪 What About ASR Rules? We’ve talked about ASR (Advanced Security Rules) in a previous article , but I might just copy-paste that again or share a link, Lol😄. Basically it also contain rules Attack Surface Reduction in Sublime Security is a specialized category of MQL Detection Rules  that target abnormal or risky patterns in emails. Think of it as your "proactive threat filter" for Microsoft 365 and Google Workspace environments. --------------------------------------------------------------------------------------------------------- Detection Methods Rules Before we wrap up, let’s touch on the Detection  section of the analysis view, specifically the Detection Methods Rules . This section highlights the technical methods and Sublime’s custom rule-based techniques  that identified and flagged the threat. T hese rules often represent the logic or patterns the system detected in an email—such as suspicious sender behavior, impersonation attempts, or malicious links. 💡 Tip:  These are editable rules—if you see something that needs adjusting or tuning to better fit your environment, you can modify them. It’s an excellent way to fine-tune detection for your organization. Historical Ingestion Another important capability of Sublime Security is Historical Ingestion . What is Historical Ingestion? Historical Ingestion is a powerful feature that allows you to ingest and analyze past email messages  to build contextual baselines  for better real-time detection and tuning. When you first deploy Sublime or activate new mailboxes , it prompts you to run historical ingestion so that it can learn from your environment. Why it matters: Establishes behavioral baselines  for what’s normal across your org. Helps reduce false positives  by learning from how you label previous threats. Gives you insight into how Sublime would have flagged past messages , so you can tune and adjust before going live. Key Steps: Review and label results  from historical analysis. Labeling helps train Sublime’s models and improve future detections. You can also exclude safe messages  during this review to fine-tune detection and prevent noisy alerts. Once you complete labeling, activate your rules  for real-time detection. Running historical ingestion doesn’t impact mail flow —it’s a passive process designed to improve accuracy. 🔧 For best results, make sure all mailboxes are activated and configure message retention to allow analysis as far back as you’re comfortable. --------------------------------------------------------------------------------------------------------- I will suggest, wait for my next article before enabling Action on Detection Rules you might find that way better right!!!!!! ------------------------------------------------------------------------------------------------------------- 🎯 Final Thoughts Sublime Security is truly building something special — like an EDR, but for your email . The detection rules tab is where it all comes together: visibility, customization, and control — all in one dashboard. Try it out — play with the rules. Trust me, you’ll enjoy the control it gives you over your email security like never before. --------------------------------------------Dean---------------------------------------------------- Upcoming Article: Automations in Sublime Security: A Smarter Way to Respond to Email Threats https://www.cyberengage.org/post/automations-in-sublime-security-a-smarter-way-to-respond-to-email-threats ---------------------------------------------------------------------------------------------------

The Remediate Threats  section in Sublime Security is a powerful place to review and take action on suspicious or malicious emails. It's organized into multiple sub-tabs designed to help SOC analysts or IT security teams streamline email threat response. Let’s walk through each part, focusing on the Flagged  tab — which shares similar structure and logic with the User Reports  tab. Remediate Threats Tab Breakdown The tab is divided into the following parts: 📌 Flagged Emails automatically flagged by Sublime's detection engines. All Unreviewed Attack Surface Reduction Auto-Reviewed Auto-Remediated 🧑‍💼 User Reports Emails reported by users manually (similar to "Flagged", so we'll skip this in detail as the layout is the same). Flagged > All Unreviewed When Sublime flags an email, it shows up under “All Unreviewed” . This is where analysts start their review process. 🧠 Key Elements of the Email Detail View Clicking on a flagged email expands a panel containing all related data. Here's what you see: ✅ Verdict Sublime's classification (e.g., Malicious , Spam , etc.).In our example, the email was marked Malicious . 📊 Attack Score Signals This section shows why  Sublime determined the message to be malicious. 📬 Message Group Details Details include: Subject Sender Recipients Who opened  the email, replied to email. Whether it was forwarded 🕵️ Message Insights This section summarizes key indicators such as: First-time sender domain/email Low reputation links Mismatched links Unsolicited sender Brand logos used in the email Domains in body and headers Sender’s timezone offset Sender prevalence (e.g., new or known) 📑 Message Content This area shows a preview of the email as seen by the user  — essential for understanding how convincing the phishing attempt was. You can also: Download the .eml  file for deeper forensics or sandboxing. 📧 Sender Details Shows reputation history and authentication status: Email: chrome@servicealerts.net Past reviewed messages: 0 First Seen: New to your organization Authentication: SPF: ❌ Failed DKIM: ✅ Passed DMARC: ❌ Failed 📜 Message Activity History This timeline shows all events related to the message: Open timestamps Forwarding trail Full recipient list and their actions 👨‍⚖️ Review Status You can take manual actions from here: Select classification: Malicious , Spam , Graymail , Benign , or Simulation Action Taken: e.g., Quarantine , Allow , etc. If you issue Quarantine it will remove the email from all users group (How awesome is that) ----------------------------------------------------------------------------------------- I will show you another example of email than we move next Email Mail details: Analysis details: (Which rules triggered the alert:) Message group details Message details: Message content: Sender details and authentication: Message activity history: Review status basically for you ----------------------------------------------------------------------------------------- Lets moved to next tab which is ASR (Attack surface reduction: Attack Surface Reduction (ASR) ASR is Sublime’s way of proactively reducing exposure to attacks  before they happen — much like hardening an endpoint. 🧬 What is ASR? ASR uses custom MQL (Mail Query Language)  rules to detect and block abnormal or suspicious behaviors. Examples include: type.inbound and any(attachments, .file_type in $file_extensions_common_archives and any(file.explode(.), any(.scan.javascript.identifiers, strings.ilike(., 'ActiveXObject', 'ShellExecute')) or ( length(.scan.javascript.strings) > 0 and all(.scan.javascript.strings, strings.ilike(., 'Shell.Application', '*.exe')) ) ) ) and ( profile.by_sender().prevalence in ("new", "outlier") or profile.by_sender().any_messages_malicious_or_spam ) and not profile.by_sender().any_messages_benign This rule flags messages when Javascript contains identifiers or strings that may attempt to execute files. 📥 What You’ll See Alerts generated by ASR rules will appear under this tab. You can set ASR rules in “alert-only” mode or configure automatic actions such as: (I will do not recommend i will give you better method later- than you can decide which method you want to use and proceed with ) Quarantine Move to Trash Insert Warning Banner Webhook Trigger Slack Notification This allows teams to enforce strict hygiene policies  on Microsoft 365 or Google Workspace — reducing phishing and BEC risk significantly. ----------------------------------------------------------------------------------------- Lets talk about third tab called Auto reviewed Auto-Reviewed  – Let the Platform Handle the Obvious If you're overwhelmed by flagged emails that are obviously spam or benign, Auto-Review  is your best friend. What is Auto-Review? It’s an action you can assign to high-confidence rules . When triggered, it will: Automatically classify the message (e.g., spam, malicious, benign) Mark it as “auto-reviewed” Hide it from your default triage view (unless you explicitly go to the Auto-Reviewed  tab) How to Set It Up Open a specific detection rule. Click Edit  or Edit Metadata . Add the Auto-review  action. Choose a classification  like: Malicious Unwanted (Spam or Graymail) Simulation Save the rule. Or Else Go to detection rules-> Selection which ever detection you want i will choose BEC for now-> Selection which ever detection you want i will choose BEC for now--> Click On view all Select all rule--> Click on Action--> Select Auto review--> And select classification Why It Matters Say you’ve built a rule that’s great at catching marketing spam . Instead of manually reviewing those every day, enable Auto-review  and classify them as Graymai l . It keeps your analyst queue clean and focused on true threats. Auto-Review Hierarchy If multiple rules try to classify the same message, the platform uses this order of priority: Simulation > Benign > Malicious > Spam > Graymail So if one rule tags it as Simulation and another as Malicious, Simulation  wins. ----------------------------------------------------------------------------------------- Last tab Auto-Remediated Here you will see Emails automatically taken action upon using predefined automation rules. ----------------------------------------------------------------------------------------- ✅ Final Thoughts Sublime Security’s Remediate Threats  section helps you: Investigate flagged emails deeply Reduce noise with auto-review Proactively block risky patterns using ASR rules Give end users a way to report threats easily With a mix of automation and human oversight, it's a powerful way to stay ahead of phishing and email-based threats. ----------------------------------------------Dean-------------------------------------------------- Upcoming Article : Let’s Talk About Detection Rules in Sublime Security (EDR for Email!) https://www.cyberengage.org/post/let-s-talk-about-detection-rules-in-sublime-security-edr-for-email -----------------------------------------------------------------------------------------------------

Alright folks — let’s dive in! Now that I’ve hyped up Sublime Security  in the last post (with good reason 😎), it’s time to show you how this beast of a platform actually  looks and what kind of visibility you get once it's live in your environment. We’re starting with the two most straightforward but powerful pages : The Overview  tab And the User Reports  tab I know — it’s pretty self-explanatory. But I’m still going to walk you through it because even simple things can show big impact when done right. 📊 Page 1: The Overview Dashboard So the moment you log into Sublime, this is your command center. The Overview page  gives you a real-time pulse on what’s happening inside your email environment — and honestly, it’s clean, informative, and actually useful (not just pretty graphs). Let’s break it down 👇 ✅ High-Level Stats Right Up Top The first thing you'll see: How many mailboxes are protected How many messages have been analyzed How many detection rules are active This gives you instant feedback on how wide your protection spans and how active your defenses are. No need to dig through config menus. 📈 Attack Remediation Timeline Next up — a timeline chart  that shows how many attacks were remediated per day. This is 🔥 because it lets you see the ebb and flow of attacks over time . You’ll notice spikes — and those spikes tell stories. Was there a burst of phishing on a Monday? Did something sketchy happen over the weekend? This is where you start spotting patterns. 🏷️ Top Labels: See What’s Being Flagged Scroll a bit, and you hit the Top Labels section , broken down by: Attack Types  – What was the goal? (BEC, credential theft, QR scams, etc.) Tactics & Techniques  – How did they try to pull it off? (HTML smuggling, spoofing, obfuscated links...) Detection Methods  – How were these threats caught? Was it AI, a custom rule, a community rule? You’re not just seeing “what got blocked” — you’re seeing how and why it was caught , which is gold for any security team trying to improve detection strategies. 🔍 Top Detection Rules You’ll also get a list of: Detection Rules that fired the most Based on how many attacks each rule caught This helps in two major ways: You know which rules are working You can prioritize tuning the ones getting noisy or low-confidence hits 🎯 Top Targets This section shows the mailboxes getting attacked the most . Very useful to: Identify high-risk users (like finance, C-levels, HR) Correlate with investigation timelines Build custom protection (like VIP inbox rules) ⚙️ Actions Summary A breakdown of: Remediation actions applied  (e.g., quarantined, moved to junk) Alert actions  (like notifying SOC or ticket creation) You see what actually happened  after the detection — and whether automation kicked in or manual action was needed. 🚨 Message Classification At the very bottom, you get a clear picture of: How many messages were classified as malicious , spam How many were automatically remediated  vs manually handled This gives a snapshot of human vs machine balance — and you’ll start to see how much time you’re saving through automation. And don’t worry — we’ll dig deeper into these remediation details in a future post. 📬 Page 2: User Reports Overview The next tab is super useful, especially if you have an organization where users report emails to the SOC or security team. This section basically shows: Emails reported by users What action was taken: Quarantined Moved to spam Marked clean Ignored Further investigated You don’t need to be a genius to use it — just click, review, and go. It helps the SOC team verify whether a report was valid or not, and it builds confidence with users that their reports are being looked at. 🧠 Why These Two Pages Matter (More Than You Think) While these two tabs seem “basic,” they actually offer: Instant operational visibility Historical awareness (timeline + trends) Confidence in what's working and where to tune Context for each mailbox, rule, and user action In the old days, we’d have to pull logs from the SEG, correlate with EDR alerts, and chase people down for context. Sublime brings all that into one place , focused purely on email. --------------------------------------------------------------------------------------------------------- 🎤 Wrapping Up That’s the bird’s eye view of your Sublime dashboard. In the next upcoming articles, I’ll dive deeper into custom rules, retro hunting, and how to use MQL  like a pro. Because honestly, that’s where the magic happens — and it’s where you get to turn this tool into your own personalized email defense engine . Until then — stay safe, stay curious, and watch those inboxes!Let’s keep digging. 🔍 ----------------------------------------------------------------------------------------------------------- Upcoming Article: Understanding the “Remediate Threats” Tab in Sublime Security https://www.cyberengage.org/post/understanding-the-remediate-threats-tab-in-sublime-security -----------------------------------------------------------------------------------------------------------

Hey folks! You know there are certain tools you just can’t ignore anymore — not because of hype, but because they actually deliver . One of those tools, for me, is Sublime Security . Now let me be real with you — I was never super excited about email security tools. Yeah, we’ve got the old-school secure email gateways (SEGs), filters, allowlists, blocklists, SPF/DKIM/DMARC setups... we’ve all been there. But when I came across Sublime , something clicked. And I finally got a chance to work with it — so I’m going to take you on that journey. Because trust me, this tool? It’s a game-changer  — especially when we’re talking about Business Email Compromise (BEC), phishing, QR code scams, and all the sneaky stuff attackers use to target our inboxes. 🛡️ Why I Call Sublime Security the “EDR for Email” Okay so hear me out — e ven Sublime itself calls it that . And honestly, they’re not wrong. When you think of EDR (Endpoint Detection and Response) , what comes to mind? You get: Full visibility into behavior Custom detection logic Historical hunting Rapid response and remediation Transparency, not just a black box Now imagine if you could do that, but for email. Not just after something gets delivered. But even after it was missed by your secure gateway or native Microsoft/Google controls. That’s what Sublime does. 🤖 What Exactly Is Sublime Security? At its core, Sublime Security is an open, programmable email security platform  designed to run detection logic and visibility across your cloud inboxes (M365 and Google Workspace). It combines: ✅ AI-powered detection ✅ Behavioral analysis ✅ Open detection rules written in MQL  (more on that in a sec) ✅ Community-driven content ✅ Retro hunting  — you can go back and look for past threats ✅ Self-hosted or SaaS options  — and yes, the first 100 inboxes are FREE! 🧠 What’s MQL? And Why Should You Care? Message Query Language (MQL)  is one of the coolest parts of Sublime. Think of it like Sigma/YARA , but for email. You’re not just setting filters — you’re writing actual logic: Find if an email has a suspicious HTML attachment Flag any sender impersonating your CEO Catch QR code phishing attempts (you'd be surprised how common these are now!) Detect reply chain hijacking And the best part? The community contributes hundreds of rules  — and they’re available on GitHub. So it’s not just Sublime doing the work; we’re all doing it together. 🌐 The Main Components of Sublime Here’s what makes this platform tick: 🔍 Sublime Defend Their detection engine — runs all those AI + custom rules to flag suspicious emails. 📥 Sublime Triage Automates analysis of user-reported emails. It basically reduces the noise and helps you focus on real threats. 🕵️ Sublime Hunt Now this is 🔥 — retroactively hunt down threats that slipped past your defenses. Like going back in time to catch that attacker before they cause real damage. 🎯 Why This Matters — Especially for BEC In my career investigating incidents, I can confidently say: 50–60% of compromises start with email . Especially BEC — and you know what? Those don’t always involve malware. They’re sneaky. Sometimes it’s a fake invoice, a reply-chain hijack, or someone pretending to be your vendor. Traditional tools miss these. Because they’re not weird  enough to trigger AV. They don’t have links. They just look  real. That’s where Sublime shines. It understands email context . It lets you build rules based on behaviors, headers, timing, content patterns — real security logic, not just signatures. 🚀 Why I’m Hyped About Sublime And no, this isn’t a sponsored post. I’m just honestly excited to finally have a tool that treats email security the way we treat endpoint security — seriously. ------------------------------------------------------------------------------------------------------- 🔜 What’s Next? In this series, I’ll walk you through Sublime Security . If you’re tired of black-box tools and want full control over email security — this might just be your new favorite toy. Till then, buckle up. 🛡️Let’s build a better email defense together. -------------------------------------------------Dean----------------------------------------------- Upcoming: Sublime Security – Dashboard Walkthrough (Overview + User Reports) https://www.cyberengage.org/post/sublime-security-dashboard-walkthrough-overview-user-reports --------------------------------------------------------------------------------------------------

In this guide, we'll cover the last section of the Carbon Black Cloud console : the Settings  tab. This area is crucial for managing your environment, configuring users, roles, notifications, and more. Let’s dive into each subsection and see what they offer. 1. General The General  subtab provides essentia l information about your Carbon Black account and its configuration . Here’s what you can find: Enabled Products : Displays the list of products activated for your account. For additional tools, links to relevant documentation are available if you’re considering a purchase. Account Details : OrgID & OrgKey : These are unique identifiers for your account, necessary for API integrations. Keep these handy if you're making API calls. DNS Suffix : Defines the domain suffix your devices use, such as yourcompany.com. It’s an organization-specific identifier set during DHCP configuration. Reachable Hosts : This is the IP address or fully qualified domain name (FQDN) of an internal host, like your DNS server. It's used to confirm on-premises reachability and must avoid private IPs like 10.x.x.x or 172.x.x.x. Windows Registry Key : This permanent setting ensures compatibility with Windows security updates (e.g., KB4072699). Once enabled, it cannot be modified. 2. Users The Users   subtab allows you to manage who has access to your console. Add new users and grant them specific permissions. View logs related to user activity, ensuring accountability and transparency. 3. Roles Roles are critical for managing permissions across your organization. Use prebuilt roles  for common needs or create custom roles  tailored to your environment . Assign roles to users based on their job responsibilities, ensuring a least-privilege approach to security. 4. Notifications Want to stay informed? The Notifications  subtab lets you set up alerts based on specific conditions. Scenarios where notifications can be triggered: Alert Thresholds : When an alert exceeds a predefined limit. Specific TTPs or MITRE Techniques : Be notified when certain tactics, techniques, or procedures (TTPs) are detected. Policy Actions : Alerts when specific policy actions are applied 5. API Access API Access enables seamless integration with other security tools in your ecosystem. Generate API keys to authenticate your integration with external systems. For detailed guidance, check Carbon Black’s official API documentation . 6. Data Forwarder The Data Forwarder  feature lets you send bulk data to external storage for advanced analytics and reporting. Supported Destinations: AWS S3 Buckets : Create an S3 bucket and configure a bucket policy to grant necessary permissions. Use prefixes to send data to specific sub-folders. Microsoft Azure Blob Storage : Authorize Carbon Black Cloud using a Federated credentials-based Managed Identity. Note: Unlike AWS S3, Azure requires individual blob containers for each forwarder. Tip : This is useful for integrating with SIEM tools or for maintaining historical logs outside of Carbon Black. 7. Audit Log The Audit Log  subtab provides a trail of actions performed within the console. Track login attempts, configuration changes, and user activity. Use this feature for compliance audits and internal investigations. Wrapping Up: With its comprehensive features and intuitive interface, Carbon Black Cloud empowers organizations to take control of their cybersecurity posture. From endpoint protection to advanced threat hunting, the platform provides everything needed to stay ahead of emerging threats. By mastering these tools and features, you're not just enhancing security—you're building a resilient defense against the challenges of tomorrow. That wraps up our deep dive into Carbon Black! See you in the next series of articles—until then, stay curious and stay secure. Bye-bye! 👋

The Feature Inventory  in Carbon Black Cloud is an essential tool that helps administrators and security professionals manage and investigate their endpoint security posture effectively. Let’s dive into its key components, starting with the Endpoints  tab, and explore the features and capabilities it provides. Endpoints Tab The Endpoints  tab is your starting point for managing and investigating endpoints in your environment . Below is an overview of its layout and functionality: Filters for Investigation On the left-hand side of the tab, you’ll find several filters that simplify endpoint investigations. These filters include: Sensor Status : Displays whether sensors are active, inactive, or in an error state. Operating System (OS) : Allows you to filter endpoints by their operating system. Sensor Version : Helps identify which version of the Carbon Black sensor is installed. Other Metadata Filters : These include options for grouping endpoints by their organizational unit, IP range, or other custom tags. Each filter is self-explanatory and designed to make pinpointing specific endpoints quick and efficient. Top-Right Controls At the top-right corner of the screen, you’ll find two key options: Sensor Options The Sensor Options  menu provides several actions to manage sensors: Manage Sensor Settings : Enables deletion of unused sensors. View Company Code : Displays the company code required during sensor installation. Download Sensor Kit : Offers the installation package for the sensor. Send Installation Request : Allows you to email installation instructions by entering the recipient’s details. Add Group: The Add Group  feature helps you dynamically assign sensors to specific groups based on predefined criteria : Sensors matching all criteria for a group are added automatically. If a sensor does not match any group’s criteria, it is assigned to the default Standard policy . Group assignments are dynamic and will change if a sensor no longer meets the criteria for its current group. You can define group criteria using “AND” or “OR” conditions, offering flexibility in your configurations. Note : Sensors can belong to only one group at a time. If multiple groups match, the sensor is assigned to the group with the highest priority. Sensor Update Status Adjacent to the Endpoints  tab, you’ll find the Sensor Update Status  section. This feature displays: Sensor versions installed across your environment. Details of sensors requiring updates or showing errors ------------------------------------------------------------------------------------------------------------- Live Example: Viewing Sensor Details When sensors are available, you’ll see details organized by status. Filters such as Sensor Status  or Signature Status  provide critical insights: Sensor Status: Carbon Black provides detailed statuses for sensors, including connectivity and operational health. For example: Active : Sensors reporting data and functioning correctly. Inactive : Sensors not reporting or disabled. Error : Sensors with connectivity or configuration issues. Signature Status : The Sig  column in the interface indicates the status of sensor signatures: Signature version status Circle : Signatures are up to date (released within the last 7 days). Triangle : Signatures are outdated (older than 7 days). Square : Signatures are unreported or unidentifiable, possibly due to local scan configuration issues or connectivity errors. These visual indicators make it easy to assess and prioritize updates or troubleshooting efforts. Sensor update status: Actions on Endpoints When managing endpoints in Carbon Black Cloud, you can take the following actions: Add to Asset Groups Add selected endpoints to specified asset groups (if you’re using this feature). Remove from Asset Groups Remove endpoints from specific asset groups. Assign Policy Assign a prevention policy to determine sensor behavior. Update Sensors Update the sensor version on selected endpoints. Start Background Scan Initiate a one-time inventory scan to identify pre-existing malware. If the controlling policy includes background scan settings, the scan type (standard or expedited) will follow that policy. Otherwise, the default is a standard scan. Pause Background Scan Temporarily stop the background scan. It will restart when the service or endpoint restarts. Enable/Disable Bypass Enable bypass: Temporarily disable policy enforcement on the endpoint. Disable bypass: Reinstate policy enforcement. Quarantine/Unquarantine Assets Quarantine an endpoint to limit its outbound traffic and block inbound traffic. Release an endpoint from quarantine when it is no longer a threat. Uninstall Sensors Remove macOS and Windows sensors. After removal, the sensor will appear as deregistered until deleted. Delete Deregistered Assets Fully remove a sensor from the Carbon Black Cloud console. Disable Live Response Disable Live Response for remote investigations and remediation. Re-enabling it requires sensor reinstallation. Query Assets Run SQL queries against endpoints to gather specific information. Manage Sensor Gateway Connection Control whether endpoints communicate directly with Carbon Black Cloud or through a Sensor Gateway. Investigate and Go Live: Threat Hunting and Commands Each endpoint provides several options for deeper investigation. Below are some key features: Investigate This is your go-to option for threat hunting . If you want detailed steps on this, check out our article below Mention Link: Go Live The "Go Live" option allows you to run live commands on an endpoint. These commands can be invaluable during an active investigation. Query Asset Last Option (Prebuilt queries) USB Devices Management Under the "USB Devices" tab, you can monitor connected USB devices. The filters and options available here are self-explanatory, as shown in the screenshot below (see attachment). However, you might wonder, how do I block USB devices? The answer lies in creating a policy. When setting up a policy (as detailed in this article), you can include rules for blocking USB devices. Once a device is blocked, you will see an option to approve or reject it directly under the "USB Devices" tab. Example Scenario: A USB device is blocked by policy. Navigate to the "USB Devices" tab to see the blocked device. Approve the device if needed, or leave it blocked. Sensor Groups We’ve discussed sensor groups earlier. For more details, refer to the "Actions on Endpoints" section above. Sensor groups are an efficient way to manage multiple endpoints with similar configurations or policies. Conclusion By understanding these features, you can take full advantage of Carbon Black Cloud for endpoint management, threat hunting, and USB device control. Use the tools wisely to enhance your organization's cybersecurity posture. Keep experimenting with these settings, and don’t hesitate to tweak configurations based on your organization's needs. I’ll leave you here for now, but stay tuned for my next guide—there’s always more to learn! Upcoming Article: Carbon Black (P6:Settings): A Practical Guide/An Practical Training