Search Results

Okay, so in this tab, we’re going to explore one of my favorite features of Sublime Security — Detection Rules , also known as your email detection posture . This is where things get really cool, especially if you love having visibility AND control over what happens in your email ecosystem. So, here's the deal — Sublime Security puts everything online on GitHub . https://github.com/sublime-security/sublime-rules Yep, it’s all open-source. You can: Write your own rules, Use existing community rules, Customize anything you like. No walled gardens, no black boxes. Just raw detection power at your fingertips. 🧠 How the Rules Are Organized The Detection Rules tab is the place where all the action starts. And trust me — they’ve done a neat job organizing everything. The rules are split into two main categories : 1. Attack Types Think of these like the “what is the attacker trying to do?”  side of things . Each type reflects the attacker’s primary goal — whether it's phishing for creds, spreading malware, or just trying to socially engineer someone into transferring funds. Here are some examples: BEC/Fraud  – Business Email Compromise. These are those sneaky emails where someone pretends to be your CEO, a vendor, or someone else important, trying to get you to send money or share sensitive info. No malware, no malicious links — just pure social engineering. Callback Phishing  – This one’s clever. The attacker tricks you into calling  a phone number. From there, it’s game over. They might lead you to malware, steal data, or worse. Credential Phishing  – This one’s classic. Think fake Microsoft login pages, Google Docs prompts, etc. — all designed to steal your usernames and passwords. Extortion  – Like the old "we’ve got your data, now pay us" scenario. Malware/Ransomware  – Where attachments or links lead to malware payloads. Reconnaissance  – This is like the attacker dipping their toe in to see if your email system bites back. They’re testing spam filters, checking which emails land in inboxes, and mapping targets before launching the real deal. Spam  – Not all spam is evil, but it’s annoying and sometimes a smokescreen for worse things. 2. Tactics and Techniques This section dives into how  the attackers are doing what they’re doing . You get insight into the tools and tricks used to evade detection. Some cool examples: Encryption  – Emails that are encrypted just enough to sneak past scanners. Evasion  – Tactics like obfuscation, spoofing headers, hiding links in weird places. Free Email Providers  – Attackers love using Gmail and Outlook to look “normal.” Free File Hosts  – Dropbox and Google Drive links aren’t always innocent. HTML Smuggling  – A technique where malware is hidden inside HTML files. ... and the list goes on. 🛠 Why I Absolutely LOVE This Now, you might ask — “Dean, why are you geeking out over this?” Let me tell you why: Sublime lets you apply actions per category or even per rule . That’s right. You’re not locked into a single response for every kind of threat. ( There is better method as well, we will discuss in next article :- automation, but yeah this ability also given by sublime, you have to make choice what you are going to choose) For example: You’ve got 74 BEC/Fraud rules . (Kept increasing or you can add your as well) And 35 Spam rules . Let’s say: For all BEC/Fraud  emails → you want them to be auto-quarantined  or Auto-review ( malicious .) Before Applying any action: Let apply action: After Applying action: But for Spam  → maybe you just want to move it to the spam folder  and add a warning banner . --------------------------------------------------------------------------------------------------------- One thing keep in mind which is Lets suppose the one rule which was under BEC fraud might come under SPAM as well, So don't get confused or worried: Now you will ask question Dean, than how the action will work remember the Hierarchy i told you! If multiple rules try to classify the same message, the platform uses this order of priority: Simulation > Benign > Malicious > Spam > Graymail if one rule tags it as Simulation and another as Malicious, Simulation  wins. ------------------------------------------------------------------------------------------------------- You can set different actions per type. That flexibility? HUGE. And yes — you can mix and match: Set a warning banner   plus  move to spam. Or trigger user reporting . Or simply alert only , if you want to monitor before acting. This level of control is something most EDRs or email gateways charge a premium for — Sublime gives it right out of the box. 📈 What’s Rule Effectiveness? So there's this nifty section called Rule Effectiveness . Basically, it gives you insight into how well your detection rules are working. Key points: It only shows data from live-processed  emails. So your test emails or old logs won’t count. You can see: Who created or last updated the rule, How many emails were flagged, What actions assigned to rule, How many reviewed. It’s perfect for fine-tuning your rules, especially if you want to weed out false positives or catch things your current posture misses. ⚠️ One Thing to Remember By default, all rules are alert-only when you enable them . So no actions will be taken until you  define them. That’s kind of a good thing because it gives you time to understand how your rules behave. you can assign actions . : Quarantine, Add warning banners, Enable user reports, Auto-delete (if you dare), Or just monitor. Totally your call. 🧪 What About ASR Rules? We’ve talked about ASR (Advanced Security Rules) in a previous article , but I might just copy-paste that again or share a link, Lol😄. Basically it also contain rules Attack Surface Reduction in Sublime Security is a specialized category of MQL Detection Rules  that target abnormal or risky patterns in emails. Think of it as your "proactive threat filter" for Microsoft 365 and Google Workspace environments. --------------------------------------------------------------------------------------------------------- Detection Methods Rules Before we wrap up, let’s touch on the Detection  section of the analysis view, specifically the Detection Methods Rules . This section highlights the technical methods and Sublime’s custom rule-based techniques  that identified and flagged the threat. T hese rules often represent the logic or patterns the system detected in an email—such as suspicious sender behavior, impersonation attempts, or malicious links. 💡 Tip:  These are editable rules—if you see something that needs adjusting or tuning to better fit your environment, you can modify them. It’s an excellent way to fine-tune detection for your organization. Historical Ingestion Another important capability of Sublime Security is Historical Ingestion . What is Historical Ingestion? Historical Ingestion is a powerful feature that allows you to ingest and analyze past email messages  to build contextual baselines  for better real-time detection and tuning. When you first deploy Sublime or activate new mailboxes , it prompts you to run historical ingestion so that it can learn from your environment. Why it matters: Establishes behavioral baselines  for what’s normal across your org. Helps reduce false positives  by learning from how you label previous threats. Gives you insight into how Sublime would have flagged past messages , so you can tune and adjust before going live. Key Steps: Review and label results  from historical analysis. Labeling helps train Sublime’s models and improve future detections. You can also exclude safe messages  during this review to fine-tune detection and prevent noisy alerts. Once you complete labeling, activate your rules  for real-time detection. Running historical ingestion doesn’t impact mail flow —it’s a passive process designed to improve accuracy. 🔧 For best results, make sure all mailboxes are activated and configure message retention to allow analysis as far back as you’re comfortable. --------------------------------------------------------------------------------------------------------- I will suggest, wait for my next article before enabling Action on Detection Rules you might find that way better right!!!!!! ------------------------------------------------------------------------------------------------------------- 🎯 Final Thoughts Sublime Security is truly building something special — like an EDR, but for your email . The detection rules tab is where it all comes together: visibility, customization, and control — all in one dashboard. Try it out — play with the rules. Trust me, you’ll enjoy the control it gives you over your email security like never before. --------------------------------------------Dean---------------------------------------------------- Upcoming Article: Automations in Sublime Security: A Smarter Way to Respond to Email Threats https://www.cyberengage.org/post/automations-in-sublime-security-a-smarter-way-to-respond-to-email-threats ---------------------------------------------------------------------------------------------------

The Remediate Threats  section in Sublime Security is a powerful place to review and take action on suspicious or malicious emails. It's organized into multiple sub-tabs designed to help SOC analysts or IT security teams streamline email threat response. Let’s walk through each part, focusing on the Flagged  tab — which shares similar structure and logic with the User Reports  tab. Remediate Threats Tab Breakdown The tab is divided into the following parts: 📌 Flagged Emails automatically flagged by Sublime's detection engines. All Unreviewed Attack Surface Reduction Auto-Reviewed Auto-Remediated 🧑‍💼 User Reports Emails reported by users manually (similar to "Flagged", so we'll skip this in detail as the layout is the same). Flagged > All Unreviewed When Sublime flags an email, it shows up under “All Unreviewed” . This is where analysts start their review process. 🧠 Key Elements of the Email Detail View Clicking on a flagged email expands a panel containing all related data. Here's what you see: ✅ Verdict Sublime's classification (e.g., Malicious , Spam , etc.).In our example, the email was marked Malicious . 📊 Attack Score Signals This section shows why  Sublime determined the message to be malicious. 📬 Message Group Details Details include: Subject Sender Recipients Who opened  the email, replied to email. Whether it was forwarded 🕵️ Message Insights This section summarizes key indicators such as: First-time sender domain/email Low reputation links Mismatched links Unsolicited sender Brand logos used in the email Domains in body and headers Sender’s timezone offset Sender prevalence (e.g., new or known) 📑 Message Content This area shows a preview of the email as seen by the user  — essential for understanding how convincing the phishing attempt was. You can also: Download the .eml  file for deeper forensics or sandboxing. 📧 Sender Details Shows reputation history and authentication status: Email: chrome@servicealerts.net Past reviewed messages: 0 First Seen: New to your organization Authentication: SPF: ❌ Failed DKIM: ✅ Passed DMARC: ❌ Failed 📜 Message Activity History This timeline shows all events related to the message: Open timestamps Forwarding trail Full recipient list and their actions 👨‍⚖️ Review Status You can take manual actions from here: Select classification: Malicious , Spam , Graymail , Benign , or Simulation Action Taken: e.g., Quarantine , Allow , etc. If you issue Quarantine it will remove the email from all users group (How awesome is that) ----------------------------------------------------------------------------------------- I will show you another example of email than we move next Email Mail details: Analysis details: (Which rules triggered the alert:) Message group details Message details: Message content: Sender details and authentication: Message activity history: Review status basically for you ----------------------------------------------------------------------------------------- Lets moved to next tab which is ASR (Attack surface reduction: Attack Surface Reduction (ASR) ASR is Sublime’s way of proactively reducing exposure to attacks  before they happen — much like hardening an endpoint. 🧬 What is ASR? ASR uses custom MQL (Mail Query Language)  rules to detect and block abnormal or suspicious behaviors. Examples include: type.inbound and any(attachments, .file_type in $file_extensions_common_archives and any(file.explode(.), any(.scan.javascript.identifiers, strings.ilike(., 'ActiveXObject', 'ShellExecute')) or ( length(.scan.javascript.strings) > 0 and all(.scan.javascript.strings, strings.ilike(., 'Shell.Application', '*.exe')) ) ) ) and ( profile.by_sender().prevalence in ("new", "outlier") or profile.by_sender().any_messages_malicious_or_spam ) and not profile.by_sender().any_messages_benign This rule flags messages when Javascript contains identifiers or strings that may attempt to execute files. 📥 What You’ll See Alerts generated by ASR rules will appear under this tab. You can set ASR rules in “alert-only” mode or configure automatic actions such as: (I will do not recommend i will give you better method later- than you can decide which method you want to use and proceed with ) Quarantine Move to Trash Insert Warning Banner Webhook Trigger Slack Notification This allows teams to enforce strict hygiene policies  on Microsoft 365 or Google Workspace — reducing phishing and BEC risk significantly. ----------------------------------------------------------------------------------------- Lets talk about third tab called Auto reviewed Auto-Reviewed  – Let the Platform Handle the Obvious If you're overwhelmed by flagged emails that are obviously spam or benign, Auto-Review  is your best friend. What is Auto-Review? It’s an action you can assign to high-confidence rules . When triggered, it will: Automatically classify the message (e.g., spam, malicious, benign) Mark it as “auto-reviewed” Hide it from your default triage view (unless you explicitly go to the Auto-Reviewed  tab) How to Set It Up Open a specific detection rule. Click Edit  or Edit Metadata . Add the Auto-review  action. Choose a classification  like: Malicious Unwanted (Spam or Graymail) Simulation Save the rule. Or Else Go to detection rules-> Selection which ever detection you want i will choose BEC for now-> Selection which ever detection you want i will choose BEC for now--> Click On view all Select all rule--> Click on Action--> Select Auto review--> And select classification Why It Matters Say you’ve built a rule that’s great at catching marketing spam . Instead of manually reviewing those every day, enable Auto-review  and classify them as Graymai l . It keeps your analyst queue clean and focused on true threats. Auto-Review Hierarchy If multiple rules try to classify the same message, the platform uses this order of priority: Simulation > Benign > Malicious > Spam > Graymail So if one rule tags it as Simulation and another as Malicious, Simulation  wins. ----------------------------------------------------------------------------------------- Last tab Auto-Remediated Here you will see Emails automatically taken action upon using predefined automation rules. ----------------------------------------------------------------------------------------- ✅ Final Thoughts Sublime Security’s Remediate Threats  section helps you: Investigate flagged emails deeply Reduce noise with auto-review Proactively block risky patterns using ASR rules Give end users a way to report threats easily With a mix of automation and human oversight, it's a powerful way to stay ahead of phishing and email-based threats. ----------------------------------------------Dean-------------------------------------------------- Upcoming Article : Let’s Talk About Detection Rules in Sublime Security (EDR for Email!) https://www.cyberengage.org/post/let-s-talk-about-detection-rules-in-sublime-security-edr-for-email -----------------------------------------------------------------------------------------------------

Alright folks — let’s dive in! Now that I’ve hyped up Sublime Security  in the last post (with good reason 😎), it’s time to show you how this beast of a platform actually  looks and what kind of visibility you get once it's live in your environment. We’re starting with the two most straightforward but powerful pages : The Overview  tab And the User Reports  tab I know — it’s pretty self-explanatory. But I’m still going to walk you through it because even simple things can show big impact when done right. 📊 Page 1: The Overview Dashboard So the moment you log into Sublime, this is your command center. The Overview page  gives you a real-time pulse on what’s happening inside your email environment — and honestly, it’s clean, informative, and actually useful (not just pretty graphs). Let’s break it down 👇 ✅ High-Level Stats Right Up Top The first thing you'll see: How many mailboxes are protected How many messages have been analyzed How many detection rules are active This gives you instant feedback on how wide your protection spans and how active your defenses are. No need to dig through config menus. 📈 Attack Remediation Timeline Next up — a timeline chart  that shows how many attacks were remediated per day. This is 🔥 because it lets you see the ebb and flow of attacks over time . You’ll notice spikes — and those spikes tell stories. Was there a burst of phishing on a Monday? Did something sketchy happen over the weekend? This is where you start spotting patterns. 🏷️ Top Labels: See What’s Being Flagged Scroll a bit, and you hit the Top Labels section , broken down by: Attack Types  – What was the goal? (BEC, credential theft, QR scams, etc.) Tactics & Techniques  – How did they try to pull it off? (HTML smuggling, spoofing, obfuscated links...) Detection Methods  – How were these threats caught? Was it AI, a custom rule, a community rule? You’re not just seeing “what got blocked” — you’re seeing how and why it was caught , which is gold for any security team trying to improve detection strategies. 🔍 Top Detection Rules You’ll also get a list of: Detection Rules that fired the most Based on how many attacks each rule caught This helps in two major ways: You know which rules are working You can prioritize tuning the ones getting noisy or low-confidence hits 🎯 Top Targets This section shows the mailboxes getting attacked the most . Very useful to: Identify high-risk users (like finance, C-levels, HR) Correlate with investigation timelines Build custom protection (like VIP inbox rules) ⚙️ Actions Summary A breakdown of: Remediation actions applied  (e.g., quarantined, moved to junk) Alert actions  (like notifying SOC or ticket creation) You see what actually happened  after the detection — and whether automation kicked in or manual action was needed. 🚨 Message Classification At the very bottom, you get a clear picture of: How many messages were classified as malicious , spam How many were automatically remediated  vs manually handled This gives a snapshot of human vs machine balance — and you’ll start to see how much time you’re saving through automation. And don’t worry — we’ll dig deeper into these remediation details in a future post. 📬 Page 2: User Reports Overview The next tab is super useful, especially if you have an organization where users report emails to the SOC or security team. This section basically shows: Emails reported by users What action was taken: Quarantined Moved to spam Marked clean Ignored Further investigated You don’t need to be a genius to use it — just click, review, and go. It helps the SOC team verify whether a report was valid or not, and it builds confidence with users that their reports are being looked at. 🧠 Why These Two Pages Matter (More Than You Think) While these two tabs seem “basic,” they actually offer: Instant operational visibility Historical awareness (timeline + trends) Confidence in what's working and where to tune Context for each mailbox, rule, and user action In the old days, we’d have to pull logs from the SEG, correlate with EDR alerts, and chase people down for context. Sublime brings all that into one place , focused purely on email. --------------------------------------------------------------------------------------------------------- 🎤 Wrapping Up That’s the bird’s eye view of your Sublime dashboard. In the next upcoming articles, I’ll dive deeper into custom rules, retro hunting, and how to use MQL  like a pro. Because honestly, that’s where the magic happens — and it’s where you get to turn this tool into your own personalized email defense engine . Until then — stay safe, stay curious, and watch those inboxes!Let’s keep digging. 🔍 ----------------------------------------------------------------------------------------------------------- Upcoming Article: Understanding the “Remediate Threats” Tab in Sublime Security https://www.cyberengage.org/post/understanding-the-remediate-threats-tab-in-sublime-security -----------------------------------------------------------------------------------------------------------

Hey folks! You know there are certain tools you just can’t ignore anymore — not because of hype, but because they actually deliver . One of those tools, for me, is Sublime Security . Now let me be real with you — I was never super excited about email security tools. Yeah, we’ve got the old-school secure email gateways (SEGs), filters, allowlists, blocklists, SPF/DKIM/DMARC setups... we’ve all been there. But when I came across Sublime , something clicked. And I finally got a chance to work with it — so I’m going to take you on that journey. Because trust me, this tool? It’s a game-changer  — especially when we’re talking about Business Email Compromise (BEC), phishing, QR code scams, and all the sneaky stuff attackers use to target our inboxes. 🛡️ Why I Call Sublime Security the “EDR for Email” Okay so hear me out — e ven Sublime itself calls it that . And honestly, they’re not wrong. When you think of EDR (Endpoint Detection and Response) , what comes to mind? You get: Full visibility into behavior Custom detection logic Historical hunting Rapid response and remediation Transparency, not just a black box Now imagine if you could do that, but for email. Not just after something gets delivered. But even after it was missed by your secure gateway or native Microsoft/Google controls. That’s what Sublime does. 🤖 What Exactly Is Sublime Security? At its core, Sublime Security is an open, programmable email security platform  designed to run detection logic and visibility across your cloud inboxes (M365 and Google Workspace). It combines: ✅ AI-powered detection ✅ Behavioral analysis ✅ Open detection rules written in MQL  (more on that in a sec) ✅ Community-driven content ✅ Retro hunting  — you can go back and look for past threats ✅ Self-hosted or SaaS options  — and yes, the first 100 inboxes are FREE! 🧠 What’s MQL? And Why Should You Care? Message Query Language (MQL)  is one of the coolest parts of Sublime. Think of it like Sigma/YARA , but for email. You’re not just setting filters — you’re writing actual logic: Find if an email has a suspicious HTML attachment Flag any sender impersonating your CEO Catch QR code phishing attempts (you'd be surprised how common these are now!) Detect reply chain hijacking And the best part? The community contributes hundreds of rules  — and they’re available on GitHub. So it’s not just Sublime doing the work; we’re all doing it together. 🌐 The Main Components of Sublime Here’s what makes this platform tick: 🔍 Sublime Defend Their detection engine — runs all those AI + custom rules to flag suspicious emails. 📥 Sublime Triage Automates analysis of user-reported emails. It basically reduces the noise and helps you focus on real threats. 🕵️ Sublime Hunt Now this is 🔥 — retroactively hunt down threats that slipped past your defenses. Like going back in time to catch that attacker before they cause real damage. 🎯 Why This Matters — Especially for BEC In my career investigating incidents, I can confidently say: 50–60% of compromises start with email . Especially BEC — and you know what? Those don’t always involve malware. They’re sneaky. Sometimes it’s a fake invoice, a reply-chain hijack, or someone pretending to be your vendor. Traditional tools miss these. Because they’re not weird  enough to trigger AV. They don’t have links. They just look  real. That’s where Sublime shines. It understands email context . It lets you build rules based on behaviors, headers, timing, content patterns — real security logic, not just signatures. 🚀 Why I’m Hyped About Sublime And no, this isn’t a sponsored post. I’m just honestly excited to finally have a tool that treats email security the way we treat endpoint security — seriously. ------------------------------------------------------------------------------------------------------- 🔜 What’s Next? In this series, I’ll walk you through Sublime Security . If you’re tired of black-box tools and want full control over email security — this might just be your new favorite toy. Till then, buckle up. 🛡️Let’s build a better email defense together. -------------------------------------------------Dean----------------------------------------------- Upcoming: Sublime Security – Dashboard Walkthrough (Overview + User Reports) https://www.cyberengage.org/post/sublime-security-dashboard-walkthrough-overview-user-reports --------------------------------------------------------------------------------------------------

In this guide, we'll cover the last section of the Carbon Black Cloud console : the Settings  tab. This area is crucial for managing your environment, configuring users, roles, notifications, and more. Let’s dive into each subsection and see what they offer. 1. General The General  subtab provides essentia l information about your Carbon Black account and its configuration . Here’s what you can find: Enabled Products : Displays the list of products activated for your account. For additional tools, links to relevant documentation are available if you’re considering a purchase. Account Details : OrgID & OrgKey : These are unique identifiers for your account, necessary for API integrations. Keep these handy if you're making API calls. DNS Suffix : Defines the domain suffix your devices use, such as yourcompany.com. It’s an organization-specific identifier set during DHCP configuration. Reachable Hosts : This is the IP address or fully qualified domain name (FQDN) of an internal host, like your DNS server. It's used to confirm on-premises reachability and must avoid private IPs like 10.x.x.x or 172.x.x.x. Windows Registry Key : This permanent setting ensures compatibility with Windows security updates (e.g., KB4072699). Once enabled, it cannot be modified. 2. Users The Users   subtab allows you to manage who has access to your console. Add new users and grant them specific permissions. View logs related to user activity, ensuring accountability and transparency. 3. Roles Roles are critical for managing permissions across your organization. Use prebuilt roles  for common needs or create custom roles  tailored to your environment . Assign roles to users based on their job responsibilities, ensuring a least-privilege approach to security. 4. Notifications Want to stay informed? The Notifications  subtab lets you set up alerts based on specific conditions. Scenarios where notifications can be triggered: Alert Thresholds : When an alert exceeds a predefined limit. Specific TTPs or MITRE Techniques : Be notified when certain tactics, techniques, or procedures (TTPs) are detected. Policy Actions : Alerts when specific policy actions are applied 5. API Access API Access enables seamless integration with other security tools in your ecosystem. Generate API keys to authenticate your integration with external systems. For detailed guidance, check Carbon Black’s official API documentation . 6. Data Forwarder The Data Forwarder  feature lets you send bulk data to external storage for advanced analytics and reporting. Supported Destinations: AWS S3 Buckets : Create an S3 bucket and configure a bucket policy to grant necessary permissions. Use prefixes to send data to specific sub-folders. Microsoft Azure Blob Storage : Authorize Carbon Black Cloud using a Federated credentials-based Managed Identity. Note: Unlike AWS S3, Azure requires individual blob containers for each forwarder. Tip : This is useful for integrating with SIEM tools or for maintaining historical logs outside of Carbon Black. 7. Audit Log The Audit Log  subtab provides a trail of actions performed within the console. Track login attempts, configuration changes, and user activity. Use this feature for compliance audits and internal investigations. Wrapping Up: With its comprehensive features and intuitive interface, Carbon Black Cloud empowers organizations to take control of their cybersecurity posture. From endpoint protection to advanced threat hunting, the platform provides everything needed to stay ahead of emerging threats. By mastering these tools and features, you're not just enhancing security—you're building a resilient defense against the challenges of tomorrow. That wraps up our deep dive into Carbon Black! See you in the next series of articles—until then, stay curious and stay secure. Bye-bye! 👋

The Feature Inventory  in Carbon Black Cloud is an essential tool that helps administrators and security professionals manage and investigate their endpoint security posture effectively. Let’s dive into its key components, starting with the Endpoints  tab, and explore the features and capabilities it provides. Endpoints Tab The Endpoints  tab is your starting point for managing and investigating endpoints in your environment . Below is an overview of its layout and functionality: Filters for Investigation On the left-hand side of the tab, you’ll find several filters that simplify endpoint investigations. These filters include: Sensor Status : Displays whether sensors are active, inactive, or in an error state. Operating System (OS) : Allows you to filter endpoints by their operating system. Sensor Version : Helps identify which version of the Carbon Black sensor is installed. Other Metadata Filters : These include options for grouping endpoints by their organizational unit, IP range, or other custom tags. Each filter is self-explanatory and designed to make pinpointing specific endpoints quick and efficient. Top-Right Controls At the top-right corner of the screen, you’ll find two key options: Sensor Options The Sensor Options  menu provides several actions to manage sensors: Manage Sensor Settings : Enables deletion of unused sensors. View Company Code : Displays the company code required during sensor installation. Download Sensor Kit : Offers the installation package for the sensor. Send Installation Request : Allows you to email installation instructions by entering the recipient’s details. Add Group: The Add Group  feature helps you dynamically assign sensors to specific groups based on predefined criteria : Sensors matching all criteria for a group are added automatically. If a sensor does not match any group’s criteria, it is assigned to the default Standard policy . Group assignments are dynamic and will change if a sensor no longer meets the criteria for its current group. You can define group criteria using “AND” or “OR” conditions, offering flexibility in your configurations. Note : Sensors can belong to only one group at a time. If multiple groups match, the sensor is assigned to the group with the highest priority. Sensor Update Status Adjacent to the Endpoints  tab, you’ll find the Sensor Update Status  section. This feature displays: Sensor versions installed across your environment. Details of sensors requiring updates or showing errors ------------------------------------------------------------------------------------------------------------- Live Example: Viewing Sensor Details When sensors are available, you’ll see details organized by status. Filters such as Sensor Status  or Signature Status  provide critical insights: Sensor Status: Carbon Black provides detailed statuses for sensors, including connectivity and operational health. For example: Active : Sensors reporting data and functioning correctly. Inactive : Sensors not reporting or disabled. Error : Sensors with connectivity or configuration issues. Signature Status : The Sig  column in the interface indicates the status of sensor signatures: Signature version status Circle : Signatures are up to date (released within the last 7 days). Triangle : Signatures are outdated (older than 7 days). Square : Signatures are unreported or unidentifiable, possibly due to local scan configuration issues or connectivity errors. These visual indicators make it easy to assess and prioritize updates or troubleshooting efforts. Sensor update status: Actions on Endpoints When managing endpoints in Carbon Black Cloud, you can take the following actions: Add to Asset Groups Add selected endpoints to specified asset groups (if you’re using this feature). Remove from Asset Groups Remove endpoints from specific asset groups. Assign Policy Assign a prevention policy to determine sensor behavior. Update Sensors Update the sensor version on selected endpoints. Start Background Scan Initiate a one-time inventory scan to identify pre-existing malware. If the controlling policy includes background scan settings, the scan type (standard or expedited) will follow that policy. Otherwise, the default is a standard scan. Pause Background Scan Temporarily stop the background scan. It will restart when the service or endpoint restarts. Enable/Disable Bypass Enable bypass: Temporarily disable policy enforcement on the endpoint. Disable bypass: Reinstate policy enforcement. Quarantine/Unquarantine Assets Quarantine an endpoint to limit its outbound traffic and block inbound traffic. Release an endpoint from quarantine when it is no longer a threat. Uninstall Sensors Remove macOS and Windows sensors. After removal, the sensor will appear as deregistered until deleted. Delete Deregistered Assets Fully remove a sensor from the Carbon Black Cloud console. Disable Live Response Disable Live Response for remote investigations and remediation. Re-enabling it requires sensor reinstallation. Query Assets Run SQL queries against endpoints to gather specific information. Manage Sensor Gateway Connection Control whether endpoints communicate directly with Carbon Black Cloud or through a Sensor Gateway. Investigate and Go Live: Threat Hunting and Commands Each endpoint provides several options for deeper investigation. Below are some key features: Investigate This is your go-to option for threat hunting . If you want detailed steps on this, check out our article below Mention Link: Go Live The "Go Live" option allows you to run live commands on an endpoint. These commands can be invaluable during an active investigation. Query Asset Last Option (Prebuilt queries) USB Devices Management Under the "USB Devices" tab, you can monitor connected USB devices. The filters and options available here are self-explanatory, as shown in the screenshot below (see attachment). However, you might wonder, how do I block USB devices? The answer lies in creating a policy. When setting up a policy (as detailed in this article), you can include rules for blocking USB devices. Once a device is blocked, you will see an option to approve or reject it directly under the "USB Devices" tab. Example Scenario: A USB device is blocked by policy. Navigate to the "USB Devices" tab to see the blocked device. Approve the device if needed, or leave it blocked. Sensor Groups We’ve discussed sensor groups earlier. For more details, refer to the "Actions on Endpoints" section above. Sensor groups are an efficient way to manage multiple endpoints with similar configurations or policies. Conclusion By understanding these features, you can take full advantage of Carbon Black Cloud for endpoint management, threat hunting, and USB device control. Use the tools wisely to enhance your organization's cybersecurity posture. Keep experimenting with these settings, and don’t hesitate to tweak configurations based on your organization's needs. I’ll leave you here for now, but stay tuned for my next guide—there’s always more to learn! Upcoming Article: Carbon Black (P6:Settings): A Practical Guide/An Practical Training

---------------------------------------------------------------------------------------------------------- Clarification Note: I've noticed that this article has sparked some important discussions, and I truly appreciate the feedback. To clarify, I’m not suggesting that the PICERL model is the only correct approach, nor am I claiming that the DAIR model is superior. The intent here is simply to provide a structured, understandable way to view the incident response lifecycle—especially for organizations that currently lack any formal process. If your team prefers a dynamic or adaptive approach, or chooses to follow the DAIR model or a customized version of PICERL, that’s absolutely valid. The goal is not to force a one-size-fits-all solution but to encourage more structured and thoughtful incident response planning. This article is meant to provide a foundational understanding, and I fully support adapting the model to fit your organization’s maturity level, threat landscape, and operational style. --------------------------------------------------------------------------------------------------------- If you guys remember, I had written a post a while back about the DAIR model  — and honestly, the response was wild. I got so many messages, and follow-ups asking for a deeper dive into the topic. So here I am, trying to break it down better, one phase at a time. https://www.cyberengage.org/post/rethinking-incident-response-from-picerl-to-dair https://medium.com/@cyberengage.org/rethinking-incident-response-from-picerl-to-dair-7b153a76e044 Let’s get into it. ------------------------------------------------------------------------------------------------------------- 🚨 First, let’s be clear: Incident Response is not  linear There’s no magical 6-step recipe to handle incidents. Real-world incidents are messy. You’ve got multiple events happening in parallel , your alerting system is going off, someone’s panicking, and maybe your containment plan just half-worked. Things overlap  — and a linear approach just doesn't hold up anymore . For example: You detect something sketchy — cool, that’s your detection phase, right? But what if during containment or eradication, you uncover a whole new set of TTPs  or realize that another part of the system was compromised before detection even kicked in? Now you’re circling back. This is where DAIR  — the Dynamic Approach to Incident Response  — steps in. It’s not about replacing PICERL. It’s about shifting our mindset to a flexible, outcome-driven process . ⚙️ DAIR: Dynamic. Not Chaotic. DAIR breaks down into waypoints  rather than locked steps. Think of it like GPS rerouting in real time — you still want to reach your destination (containment and recovery), but you may need to take a few turns based on roadblocks you hit along the way. Here’s the core flow: Detect Analyze Improve Respond But in real life, it's more of a loop  than a line. ------------------------------------------------------------------------------------------------------------- 🧠 Preparation: The underrated superhero of IR Before you even start thinking about detection, you’ve gotta "know thy organization." Not just buzzwords — I’m talking about: What actually matters to the business? What’s your visibility like — do you have endpoint telemetry? Firewall logs? Sysmon? Or are you just hoping EDR will save the day? Who’s reviewing the logs, and how often? What’s your backup recovery process? Ever tested it? (Spoiler: most haven’t.) Also, can your IR team actually respond ? Do they get tabletop exercises , actual practice runs , or are they just hoping Google + gut feeling = success? Too many IR teams get stuck during a real event because they weren’t prepared for their own tools, their own network, or their own people. The DAIR model, just like PICERL, starts with preparation  because without it, everything else falls apart fast. ------------------------------------------------------------------------------------------------------------- 🔍 Detect: It’s not about noise — it’s about meaning Detection is where most IR teams spend their lives. But let’s break it down: IOA (Indicator of Attack)  = something an attacker does to get what they want (e.g. lateral movement, bypass attempts, privilege misuse) EOI (Event of Interest)  = “Hey, does this event actually matter to us  based on our  risk and context?” You can get a million IOAs, but if they don’t align with what your organization cares about, it might not even qualify as an EOI. That’s a big difference. Not every alert needs panic mode. Now, detection can be passive  (you get alerted from your SIEM, a user reports weird behavior, etc.), or active  — a.k.a. threat hunting. Active detection is where you're out there looking  for trouble. And once you detect something, that’s when clock starts ticking. Also, don’t underestimate human signals : A sysadmin noticing weird CPU spikes, or your helpdesk getting calls about failed logins — these can be golden early indicators . Blend your tech intel  (logs, EDR, network alerts) with your people intel , and your detection game gets way stronger. ------------------------------------------------------------------------------------------------------------- 🔍 Verifying & Triage — Don’t Just Jump the Gun Alright, so just because you spotted something weird doesn’t mean it’s go-time.This is where verify and triage  come into play — and trust me, this step saves you from chasing ghosts or overreacting to a false alarm. So what are we really doing here? We're asking basic but critical questions : “Is this actually a real incident?” “Is it something that impacts our environment or our business?” “Is it worth pulling in the full IR team, or can we handle it quietly?” Let’s be honest — not everything weird is worth a full-blown IR war room.Sometimes it’s just noise.Sometimes it's someone forgetting their password and triggering alerts with failed logins from five devices at once. So we verify : Is this event something that should even be on our radar? And then we triage : Based on what we know so far, who do we need in the room? For example, if it’s someone threatening a coworker over email, maybe that’s an HR + legal thing, not just IR. If it's ransomware in your backups? That’s game-on. Also — don’t skip getting management input here. You don’t want to be guessing whether something is “business-critical” or not. Always align technical actions with business priorities. That’s how you earn trust. ------------------------------------------------------------------------------------------------------------- 📏 Scoping: How Bad Is It, Really? Once we know it’s real, the next question is: How deep does this thing go? Scoping is about figuring out the blast radius. Which systems are affected? Which users? Which parts of the network? Maybe you found a malicious registry key with an encoded blob in one system — cool, but how many other systems have that same key ? Maybe an attacker used a known IP — where else did that IP touch your infrastructure? To do this right, you’re gonna pull from a ton of data sources : EDR, SIEM, logs, threat intel, PowerShell outputs, config files, even registry snapshots if needed. Sometimes the scoping phase alone is a full-on detective mission. And here’s the catch: you’ll probably do this more than once. The DAIR model treats response phases as a loop , not a one-and-done checklist. So as you uncover new info (TTPs, new users, lateral movement), you’ll loop back and rescope  again — and again — until you're confident you’ve mapped the full picture. Skipping or half-assing this step is what leads to "Oops, we missed that second C2 channel."  Don’t be that IR team. ------------------------------------------------------------------------------------------------------------- 🛑 Contain — Stop the Bleed Alright, now that we know what we’re dealing with, it’s time to freeze the attacker  in place. Containment  is all about one thing: making sure the bad actor can’t keep doing damage  while we plan next steps. This isn’t just pulling the plug. It’s smart isolation : Throw the host into a private VLAN Block known attacker IPs Change DNS routes Lock compromised user accounts Cut C2 channels with some smart ACL magic Now, containment doesn't always mean full-on disconnection. Sometimes you want to watch what they’re doing for a little longer — gather more data before cutting them off. And speaking of data: this is a golden time for evidence collection .If you isolate a host, grab logs, memory dumps, network traces — before  the system reboots or changes state. But don’t go overboard. If leadership doesn’t care about forensic review or court action, maybe you don’t need a full 100GB image of that file server. Balance data collection vs. business value . Also — everything you do during containment should support what’s coming next. For example, if you’re revoking credentials now, you’re also laying the foundation for eradication  and recovery  later. That’s why DAIR is a loop — not everything is siloed. ----------------------------------------------------------------------------------------------------- 🚨 Eradicate: Time to Clean House Once you’ve caught wind of the attacker’s activity and put up the initial blocks (aka containment), it’s time to get serious: erase their fingerprints from your house . Eradication isn’t just about kicking them out. It’s about reversing the damage they did , and making sure no doors are left open for them to stroll back in. Here’s what this really looks like: Wipe out malicious processes, hidden users, or rogue scheduled tasks. Roll back from known-good backups — assuming you’ve got some. Remove persistence mechanisms (e.g., registry tweaks, rootkits, or cron jobs). Patch up the hole they crawled through — whether it was a CVE, weak creds, or a bad config. If they messed with source code or tried sneaky fraud tricks (hello, bogus transactions), unwind all of that too. This phase leans heavily on your earlier investigation work. What you learned while analyzing logs, running memory forensics, or doing packet captures — that’s what guides your clean-up operation. 🧠 Tip: Containment ≠ Eradication.  One stops the bleeding, the other heals the wound. ----------------------------------------------------------------------------------------------------- 🔧 Recover: Don’t Just Reboot — Reinforce Alright, so you’ve cleaned up the mess. Now what? Recovery  isn’t about just flipping the switch and saying, “We’re good.” It’s about making sure we don’t end up in this same mess again. This is where root cause analysis  comes into play. Not just what happened — but why  it happened. Ask yourself: Why was this even possible? Was it a bad policy, or a good one nobody followed? Did our alerts fire and nobody noticed? Was that admin using the same password since 2017? Recovery also means: Rebuilding or restoring systems with clean images. Changing compromised credentials and revoking tokens. Reissuing API keys or cloud creds. Validating app integrity (especially for dev or prod environments). Getting SMEs to test the system before it goes live again. And yes — test everything. Don’t just patch and pray. Make sure everything works as expected before  you bring it all back online. And when you do go live? Watch those systems like a hawk. Assume the attacker wants back in. ----------------------------------------------------------------------------------------------------- 🔁 Repeat: Because One Loop Is Never Enough Let’s be real — IR isn’t a one-and-done process. During the recovery or eradication phases, you’ll often discover more indicators, more footholds , or other places where the attacker left a mark. And when that happens? You don’t just patch and move on. You loop back : Re-scope the incident based on new findings Re-contain the new areas Re-analyze logs or malware samples Re-do eradication if needed Expand recovery if more systems are impacted You’ll rinse and repeat this until: There’s nothing left of the attacker’s presence Stakeholders are confident the threat is neutralized You’ve implemented proper safeguards to prevent a repeat This isn’t just busywork. It’s how real IR works in the field . Especially when you’re dealing with APTs or any attacker with actual skills, you’re going to learn more as you go . ----------------------------------------------------------------------------------------------------- Debrief: Let’s Talk Real Talk Post-Incident Alright, the chaos has settled, the alerts have calmed down, and you’ve officially closed the incident. But we’re not done yet. It’s time to debrief —and no, this isn’t just about typing up a long, boring report. This is your chance to actually learn something  from the whole mess. This is where we sit down and talk: What worked? What completely flopped? What can we do better next time? Sometimes this is a polished PDF with a cover page and timeline. Sometimes it’s just well-documented notes in your IR platform or ticketing system. Format doesn’t matter. Value does. So what should the Debrief look like? Capture what happened (timeline, impact, decisions made). Be honest. No fluff. Just facts (and where you’re not sure, make it clear it’s conjecture). Record what tools and people helped vs. slowed things down. Highlight wins—your team did something right in the heat, so give credit. Then, use it! Share it with key stakeholders (they might finally approve that EDR upgrade you’ve been asking for). Use it to fix broken playbooks , fine-tune escalation paths , and close the feedback loop . Schedule a follow-up (don’t ghost your own process). Did the changes you suggested actually happen ? Pro Tip: Right after an incident, security is fresh in everyone’s mind. It’s the perfect moment to ask for improvements: better logging, better tooling, more training, etc. The biggest mistake is skipping the debrief. That’s how lessons get lost. And remember:  The next incident is coming . What you learn here will determine whether you’re sprinting or stumbling when it hits. ----------------------------------------------------------------------------------------------------- Stay flexible. Stay curious. And stay humble — because attackers love when defenders get lazy.

When managing Carbon Black, the Enforce  tab plays a pivotal role . It houses the tools for creating and managing policies , which dictate how sensors interact with assets, prevent threats, and allow or block specific behaviors. Introduction to Policies Policies in Carbon Black are collections of prevention rules and behavioral settings. These define how sensors interact with endpoints to: Allow or block specific behaviors. Implement custom blocking rules. Modify communication between sensors and the Carbon Black Cloud. Interface Overview When you click on the Policies  section, you’ll find: Left Panel:  Lists all your created policies. Main Panel:  Contains tabs like General , Prevention , Local Scan , and Sensor  for each selected policy. ------------------------------------------------------------------------------------------------------------- Policy Tabs and Their Functions 1. General Tab This section provides basic information about the policy: Policy Name  and Description. Additional configurable settings. 2. Prevention Tab This is the core of policy management. It allows users to configure: Permissions : Permissions in Carbon Black involve whitelisting paths or applications . Unlike other tools like SentinelOne, Carbon Black uses flexible path-based formats for exclusions: Example: C:\windows\carbonblack\** **\carbonblack\** Core Prevention Settings : Use Carbon Black’s backend engines for threat detection and response . These s ettings allow you to configure actions like terminating processes or generating alerts. Blocking and Isolation Rules Carbon Black offers robust capabilities, such as path-based blocklisting: Example: Block PowerShell and Python executables using: **\powershell*.exe **/python USB Blocking Enable or configure USB restrictions as per your organizational requirements. 3. Sensor Settings Fine-tune how sensors operate, including options for auto-deleting known malware and enabling local scanners. ------------------------------------------------------------------------------------------------------------- Creating a New Policy To create a policy: Click New Policy . Fill in details like: Name  and Description. Copy Settings From : Use predefined templates provided by Carbon Black for common use cases. These serve as baselines that you can modify to suit specific needs. Predefined Policies Predefined policies are templates that: Establish a baseline level of enforcement. Can be assigned to sensors. Allow customization but cannot be deleted. Each Predefined policy with description: Now after Writing description and Policy name next tab you have to configure - Core prevention and Permission (I am Leaving those as default because these are testing policies) In Below screenshot if see there are few process which are predefined by Carbonblack. Example in case of Carbonblack thinks its Adware it will terminated to process automatically. (How cool is that!) For My perspective, Do not touch below configuration even you creating new policy for production environment (Leave those as default) . If you want to add any other path or file name you can add by clicking add file path Last thing to configure in Policy is USB Blocking: If needed, you can add rules to block USB devices. This is optional and depends on your use case. Once you’ve configured the required settings, your policy is ready to go! ------------------------------------------------------------------------------------------------------------- Reputation Management The Reputation  tab is where you can manage files and applications based on their reputation. Blocking Hashes : You can block specific SHA-256 hashes if you know they’re malicious. Adding Exclusions : Similarly, you can add hashes to an exclusion list to avoid false positives. This feature provides flexibility and precision for managing files based on their known behaviors. ------------------------------------------------------------------------------------------------------------- Malware Removal Managing detected malware is one of the core features of Carbon Black Cloud. Here’s how to handle it effectively: Detected Malware : The Detected  tab shows files classified as KNOWN_MALWARE, SUSPECT_MALWARE, or PUP (Potentially Unwanted Program) . You can: Search for specific files by hash or filename. Take action to delete malware directly from the Investigate page. Auto-Deleting Known Malware :You can configure policies to automatically delete known malware after a specified time. Go to Enforce > Policies . Select the desired policy and enable Auto-delete known malware hashes after . Choose the time frame and save. Deleted malware moves from the Detected  tab to the Deleted  tab. Remember, once malware is deleted, it cannot be restored, so proceed carefully. ------------------------------------------------------------------------------------------------------------- Cloud Analysis The Cloud Analysis  feature integrates with Symantec CYNIC to improve protection against unknown threats. Here’s how you enable it: Navigate to Enforce > Policies . Select a policy. Enable Submit unknown binaries for analysis  under the Sensor tab. This submits "NOT_LISTED" binaries (e.g., .exe, .dll) to Symantec CYNIC for automated analysis. It’s worth enabling this feature to bolster your defenses against new and evolving threats. ------------------------------------------------------------------------------------------------------------- Recommendations Carbon Black Cloud generates recommendations to improve the health of your environment. These suggestions are based on: Blocked events in your organization. Global insights from other organizations. Accepted reputation rules. You can review these recommendations and apply them to optimize your configurations. ------------------------------------------------------------------------------------------------------------- Wrapping Up That’s all you need to know about policy management in Carbon Black Cloud! From exclusions and blocking rules to handling malware and leveraging cloud analysis, you now have a solid foundation to manage policies effectively. Keep experimenting with these settings, and don’t hesitate to tweak configurations based on your organization's needs. I’ll leave you here for now, but stay tuned for my next guide—there’s always more to learn! ---------------------------------------------------------------------------------------------------------- Upcoming article: Carbon Black (P5:Inventory): A Practical Guide/An Practical Training ----------------------------------------------------------------------------------------------------------

The Investigate  feature in Carbon Black is a powerful tool that allows you to perform deep searches, analyze details, and hunt for suspicious activities across your environment . It’s like a forensic magnifying glass, enabling SOC analysts to dig into both failed and successful operations  performed by applications and processes on endpoints. While I won’t dive into a full analysis tutorial here, this is an overview of how the feature works and why it’s so useful. Let’s break it down. ------------------------------------------------------------------------------------------------------------ Overview of the Investigate Page When you open the Investigate  page (screenshot provided below), you’ll notice its similarity to SentinelOne’s timeline feature. Filters on the Left : These allow you to refine your search. Search Bar : Positioned at the top, you can run queries tailored to your investigation needs. Search Guide : Found at the top-right, this embedded guide assists you in crafting advanced queries. Carbon Black markets this feature as a way to analyze every observation stored in the cloud , allowing you to: Identify failed or successful operations. Collect and act on data from your search results. Use advanced search techniques for detailed visibility into events, processes, and observations. ------------------------------------------------------------------------------------------------------------ How to Use Investigate: A Basic Example Let’s revisit a scenario from a previous article: you’ve created a rule to block wmiprvse.exe when invoked by cscript.exe. Now you want to investigate. Run a Simple Query : process_name:cscript.exe This query fetches all processes matching the name cscript.exe. Below the search bar, you’ll find three tabs: Observations Processes Auth Events ------------------------------------------------------------------------------------------------------------ The Observations Tab The Observations Tab  provides a list of all interesting activities in your environment that didn’t necessarily trigger an alert. Use Case : You detected a suspicious file and want to hunt for related activity. Observations allow you to search for processes, registry modifications, or other actions tied to the file. Filters on the Left : These can be used to narrow your hunt and pinpoint specific activities. Action Tab : Clicking on the graph-like structure (Process Analysis) lets you investigate further. Example Query for Hunting : alert_category:THREAT OR sensor_action:DENY OR ttp:FILELESS This expands your search scope, focusing on threats, denied actions, or fileless attacks. ------------------------------------------------------------------------------------------------------------ The Processes Tab The Processes Tab  gives details of all processes that ran in your environment based on your query. Example : fileless_scriptload_cmdline:.ps1 This query filters for PowerShell script (.ps1) executions. The output lists processes tied to such executions, enabling you to spot any malicious activity. ------------------------------------------------------------------------------------------------------------ The Auth Events Tab This is one of the standout features of Carbon Black. The Auth Events Tab  provides detailed insights into Windows authentication events, supplementing process activity logs. What You Can Investigate : Who logged in to an endpoint during suspicious activity. Failed login attempts and brute-force attacks. Privilege escalation attempts and lateral movement. Remote logins from anomalous sources. Insider threats or use of stolen credentials. Why It’s Valuable : SOC analysts gain critical context during threat hunting and incident response. Carbon Black’s ability to correlate authentication events with process activity  reduces response times and minimizes reliance on third-party tools. Example Search : Failed Login Attempts on a Specific Endpoint : (With Search/Filter) Remote Logins : (With Search/Filter) ------------------------------------------------------------------------------------------------------------ Why I’m a Fan of This Feature Carbon Black’s I nvestigate  tool offers simplicity and depth, eliminating the need to manually sift through logs. You can: Quickly search for anomalies. Export details for reporting. Investigate further with ease. Real-World Benefits: The seamless integration of authentication data with process analysis enhances visibility, making it easier to detect and respond to threats like lateral movement, privilege escalation, or brute-force attacks. ------------------------------------------------------------------------------------------------------------ Stay tuned for the next article!Until then, keep learning and growing. See you soon! 😊 Upcoming article : Carbon Black (P4:Enforce): A Practical Guide/An Practical Training ----------------------------------------------Dean-------------------------------------------------

Carbon Black EDR (Endpoint Detection and Response) is a powerful tool, but its interface can be a little overwhelming for new users. Let me walk you through some of its key features, starting with the Dashboard  and then moving on to the Alerts  tab. I’ll share what I know, with examples and screenshots for better understanding. ------------------------------------------------------------------------------------------------------------- The Dashboard: A Quick Overview The Carbon Black Dashboard is made up of widgets that provide a high-level view of policies, alerts, and overall activity . These widgets are pre-defined, which is both a strength and a limitation. You can’t add custom widgets, which sometimes feels restrictive if you want to monitor something very specific. Now, I’ll be honest: I don’t personally use dashboards , whether it’s Carbon Black, SentinelOne, or any other tool. I prefer to dig into things manually. That’s just how I work. But I can see the appeal of dashboards for administrators who want a quick overview. If you’re someone who relies on dashboards, the widgets here are decent, though not customizable. Since the visuals speak for themselves, I won’t go into great detail. You’ll understand everything through the screenshots. ------------------------------------------------------------------------------------------------------------- Moving to the Alerts Tab Now, let’s dive into the Alerts  tab. This section is much more interactive and flexible. Here's a quick breakdown: The Search Bar At the top of the Alerts tab, y ou’ll find a search bar where you can look up alerts based on parameters like: File name Device ID Hash For example, if you type de in the search bar, it will auto-fill suggestions like "Device ID" or "Policy Name," making it easier to refine your search. Similarly, you can search by hash or file name. One great feature is that after performing a search, you can save the filter and add it to your favorites. This way, you don’t need to repeat the same search every time. Time Filters On the right-hand side, there’s a time filter where you can choose to view alerts for a specific period, such as the past day, hour, or month. ------------------------------------------------------------------------------------------------------------- Filters/Grouping/Search Guide Options On the left-hand side, you’ll see additional filters to make searching alerts easier. You can filter by Type , Priority , and more. Now if u see Top right hand side you will see option Group By None : Alerts are shown individually, one by one. Threat ID : Groups alerts that share the same threat ID. For example, if multiple alerts are related to a remote tool, selecting "Threat ID" groups them together for easier viewing. Search Guide One of my favorite features in the Alerts tab is the Search Guide  link at the top . If you click on it, you’ll find a detailed guide on how to search using the bar. It’s incredibly useful if you’re not familiar with the search syntax or want to refine your searches further. View of search Guide: ------------------------------------------------------------------------------------------------------------- Types of Alerts Let’s now look at the types of alerts in Carbon Black . There are two main categories: CB Analytics:- These alerts are generated automatically by the Carbon Black Cloud analytics engine. They are essentially detections based on built-in analytics. Watchlist Hits:- Watchlist hits are rule-based detections. For instance, if you’ve set up a rule to monitor for certain IOCs (Indicators of Compromise) , any matches will trigger an alert under this category. According to the official documentation: Watchlists are saved searches that run periodically against process or binary data in Carbon Black EDR. They run every 10 minutes and notify users when new results are found . Filter by Priority One of the key filters available is Priority Level . You can use this to narrow down alerts based on their assigned priority. For example, you might only want to focus on high-priority alerts. Once you apply this filter, only the relevant alerts matching that priority will show up. It’s a simple yet effective way to zero in on what needs immediate attention. More filter screenshot: Group By: None vs. Threat ID As I mentioned earlier, the Group By  filter can be set to either: None : This displays alerts individually, one by one. Threat ID : Groups alerts that share the same threat ID. For instance, if multiple alerts relate to a "Remote Tool" threat, grouping by Threat ID will cluster them together. Below, you’ll see screenshots showing both options: Group By None : Each alert appears separately. Group By Threat ID : Similar alerts are grouped, which makes it easier to analyze related threats. ------------------------------------------------------------------------------------------------------------- Diving Into a Particular Alert Let’s take a closer look at a specific alert, starting with a Watchlist Hit . Here’s what you’ll find in a typical alert: Arrow for Detailed View Next to the Actions  section, there’s an arrow (>) that you can click to expand the alert. This will reveal more information about the alert, including its Alert ID  and the Reason  it was triggered. Alert ID : This uniquely identifies the alert. Reason : Indicates the watchlist or rule that triggered the alert . For instance, if you’ve set up a rule to detect IOC hits, you’ll see the corresponding rule listed here. Processes and Parent Processes Below the basic alert details, you’ll see the Parent Process  and Process  information. This shows the process chain for the activity that triggered the alert. I won’t spend too much time explaining these since most of us are familiar with how processes and parent processes work. If you need even more details, there’s a Show All  button that you can click to e xpand and view additional process information. Remediation Steps After the process details, you’ll find Remediation Steps . This section suggests actions you can take in response to the alert, such as: Deleting the application Quarantining the asset Taking remote actions on the device Device Details Just below the remediation steps, you’ll find a section for Device Details , which provides information about the endpoint where the alert was triggered. This can include the device name, OS version, and other critical details. Threat History Scrolling further down, you’ll come across the Threat History  section . This provides context on how often similar alerts have been detected across devices , helping you understand th e scale of the issue. ------------------------------------------------------------------------------------------------------------- No Need to Scroll: Use the Expand Option Instead of scrolling through the alert details, you can use the Expand  button at the top of the alert. Clicking this will display all the alert details on a single page, saving you time and making it easier to view everything at once. ------------------------------------------------------------------------------------------------------------- In depth Analysis of alert and view: Process Analysis: A Visual Insight If you want to investigate an alert beyond just the basics like hash, IOC, or file paths, Process Analysis  is your go-to tool. When you select Process Analysis , the first thing you’ll notice is a graphical representation . This graph visually lays out the parent-child process relationships , making it easy to trace back how the suspicious activity started and its subsequent actions. Screenshot Example : The graph provides clarity on which process initiated the activity, its children, and the sequence of events. It’s particularly helpful for identifying anomalies in the execution chain. Filters and Modules As you scroll down, you’ll find additional filters, including details like: Loaded Modules : Shows the DLLs or components loaded by a specific process. File Modifications : Lists changes made to files. Registry Modifications : Displays registry edits made by the process. These are standard features in most EDR tools, but Carbon Black makes the information easy to navigate. Search Guide At the top-right corner of the process analysis section, there’s a Search Guide  link. If you’re unsure about analyzing alerts, this guide provides handy tips and examples. It’s a quick way to get familiar with the interface and techniques. ------------------------------------------------------------------------------------------------------------- CB Analytics Alerts Now, let’s shift to CB Analytics Hits , another type of alert you’ll encounter. Blocked CB Analytics Alerts Let’s say Carbon Black detects a suspicious process like wmiprvse.exe invoking another application. If you’ve created a policy to block this activity , Carbon Black will: Detect the activity. Apply the policy and block the process. In the alert details, you’ll see that the policy was enforced. This is similar to a Watchlist Hit , but with the key difference being that the threat was actively blocked . Non-Blocked CB Analytics Alerts On the flip side, if there’s no policy in place to block the suspicious activity, Carbon Black will still flag it as worth investigating. For example, Carbon Black might detect another application but not block it because there’s no policy for that scenario. The alert details in this case will look similar to a watchlist hit, allowing you to analyze and decide on the next steps. ------------------------------------------------------------------------------------------------------------- Takeaways on Alerts That’s essentially how the Alerts Tab  works. From using filters  to navigating process analysis graphs , you have all the tools to investigate and take action. Don’t forget, if you ever feel stuck, the Search Guide  is always there to assist. If there’s enough interest, I’ll create a dedicated article on how to analyze alerts in detail. But for now, let’s move on to the next topic—I’ve got more articles to write (lol). Upcoming article : Carbon Black (P3:Investigate): A Practical Guide/An Practical Training Dean

Welcome to this guide on using Carbon Black as an Endpoint Detection and Response (EDR) tool . Carbon Black has long been recognized for its contributions to the cybersecurity landscape. While it wasn’t the first to introduce EDR (the concept was coined by Gartner analyst Anton Chuvakin in 2013 ), it has played a pivotal role in the evolution of endpoint security . In this article, we’ll explore Carbon Black’s features, capabilities, and its journey within the competitive EDR market. By the end, you’ll have a clear understanding of Carbon Black's functionality and how it compares to other EDR solutions. ------------------------------------------------------------------------------------------------------------- Introduction to Carbon Black Carbon Black specializes in advanced threat detection and response. Its strength lies in real-time visibility into endpoints, enabling quick detection and mitigation of threats. Over time, it has become an essential tool for organizations aiming to strengthen their cybersecurity posture. Key Features Real-Time Endpoint Monitoring : Tracks activities across endpoints to detect unusual behavior. Threat Hunting Capabilities : Enables deep visibility into endpoint activities for proactive threat hunting. Application Control : Prevents unauthorized applications from running. Malware Analysis : Offers cloud-based analysis for suspicious executables. ------------------------------------------------------------------------------------------------------------- The Evolution of Carbon Black Carbon Black became part of VMware in 2019 and was later acquired by Broadcom in 2021 as part of Broadcom’s VMware acquisition. While these transitions have provided financial backing and broader integration, I have notcied a decline in support during the integration phase, especially with the merger of Carbon Black and Symantec(My Personal Comment). ------------------------------------------------------------------------------------------------------------- Using the Carbon Black Dashboard The Carbon Black Cloud dashboard is designed for simplicity, providing a centralized view of your environment. Top Navigation Bar Left Side : Displays the Carbon Black Cloud branding. Right Side : Includes: Notifications : Alerts for recent updates or completed downloads (e.g., reports). Help Tab : Provides documentation and resources for troubleshooting or learning about features. Quick Feature Highlight Near the Right-hand side, you’ll notice a small arrow (>) . Clicking this reveals which features are enabled in your environment. For example, advanced features like Vulnerability Management may require additional licensing. The built-in documentation for these features can be incredibly helpful if you’re stuck. ------------------------------------------------------------------------------------------------------------- Exploring the Left-Hand Menu The left-hand menu is where most of the action happens. Here’s a breakdown of its main sections: 1. Dashboard A high-level overview of your environment, including key metrics and activity summaries. 2. Alerts Displays all alerts triggered by suspicious activity. You can investigate and act on alerts from here. 3. Investigate The Investigate  tab acts like a tool allowing you to perform advanced threat hunting. Similar to SentinelOne’s Deep Visibility , this feature lets you query endpoint activities in detail. 4. Live Query Run SQL-like queries across endpoints for targeted data retrieval. (Kind a Threat hunting) 5. Enforce A collection of subset of features: Policies : Create and manage endpoint policies. Reputation : Block malicious hashes or allow trusted ones. Malware Removal : Review and take action on identified malicious files. Cloud Analysis : Upload executables for in-depth analysis by the Carbon Black team. Recommendations : Receive suggestions to optimize your Carbon Black Cloud console. 6. Vulnerability Displays detected vulnerabilities across your environment. Tracks endpoint exposure to CVEs and provides actionable insights. 7. Inventory Contains several subsections for managing endpoint assets: Endpoints : Lists all endpoints and their details. USB Devices : Tracks allowed or blocked USB devices. Sensor Groups : Create and order sensor groups for automated policy assignments. 8. Settings Configuration options for customizing your Carbon Black deployment. (We will talk about each in future articles) ------------------------------------------------------------------------------------------------------------- Comparison: Carbon Black vs. SentinelOne While Carbon Black is a robust tool, my personal experience suggests that SentinelOne  offers more user-friendly capabilities. ------------------------------------------------------------------------------------------------------------- Having worked extensively with Carbon Black, I can attest to its potential. However, as with any tool, the key is to understand its strengths and limitations. While Broadcom's acquisition of VMware has led to some challenges. I’ll pause here for now, as it’s time to work on another article! Until then, keep hunting and learning. See you soon! 😊 Happy Carbon Black managing! 🚀 Upcoming article: Carbon Black (P2:Dashboard/Alerts): A Practical Guide/An Practical Training

If you’ve started using Arkime  (formerly Moloch), you already know it's a powerful tool for digging deep into packet captures and indexed network traffic. But here's the deal — most of that power lives in how you search . And trust me, once you get comfortable with Arkime's search language, it feels less like digging through data and more like interrogating the network . 🕵️‍♀️ ---------------------------------------------------------------------------------------------------------- 🧠 First: What Are We Even Searching? In Arkime, you’re not just searching raw packets like in Wireshark. You're querying SPI data  — Session Profile Information . It's metadata extracted from full PCAP captures that’s been indexed for fast retrieval. This means you’re asking questions like: “Which sessions involved DNS lookups for ‘google’?” “Did anyone POST data to a shady site?” “Who used TLS but without Diffie-Hellman?” You use Arkime's query bar  in the viewer UI — and it’s actually pretty user-friendly. ---------------------------------------------------------------------------------------------------------- ✨ Query Language 101 (Way Simpler Than It Looks) Arkime has its own mini search language. Don’t worry, it’s not too weird. Here’s how it works: Task Syntax AND && OR ` Equals == Not equals != Exists == EXISTS! Group logic ( ... ) Example: host.dns == *google* && http.method == POST This finds DNS sessions with “google” in the hostname AND  HTTP POST requests — maybe signs of data exfiltration? ---------------------------------------------------------------------------------------------------------- 🔍 Let's Talk Field Types (Because This Changes How You Search) Arkime fields come in different types — and you search each a little differently. 🧾 String Fields These are your domains, URIs, methods, headers, etc. Tokenized : Arkime breaks strings up by dots, slashes, and dashes. So www.cyberengage.org/becomes: www, cyberengage, org, and www.cyberengage.org Wildcards : * = any characters ? = single character→ http.uri == "www.cyberengage.*" matches .org, .edu, .com, etc. Lists : Want OR logic quickly? Use brackets: http.uri == [login, reset, password] Regex : Use /regex/ style for advanced pattern matching host.http == /.*\cyberengage\.com/ 🌐 IP Address Fields You can match by: Exact IPs : ip.dst == 192.168.1.10 CIDR : ip.src == 10.0.0.0/8 With ports : ip.dst == 8.8.8.8:53 🔢 Numeric Fields Standard comparisons work: >, <, >=, != src.port >= 10000 📅 Date Fields Yes, you can time travel: timestamp >= "2024-07-01 00:00:00" Or go relative like: timestamp >= now-24h 🦉 Helpful Stuff Built Right In 🧠 Autocomplete Start typing host in the search bar and Arkime gives you suggestions like: host.dns host.http host.tls This is amazing when you’re not sure of the exact field name. 🦉 The Owl Button Top-left corner of the interface = Arkime's Owl . Click it anytime to get quick help, field lists, and syntax reminders. 📈 The Viewer UI – It’s Not Just a Table Each row in the interface = a session  (not an individual packet). This is important. Arkime combines both sides  of a conversation into one entry. You’ll see: Timestamps Byte/packet counts Protocols Directional traffic graphs (red vs blue = client vs server) You can: Click the green plus sign  to expand any session Extract PCAPs  of the session instantly Switch views  to show packets, bytes, or session summaries And yes — you can zoom into a time range  interactively just like in Wireshark! 🎯 Quick Query Examples (Copy-Paste Friendly) Find all DNS requests containing “google” host.dns == cyberengage All POST requests to Home Depot domains http.method == POST && host.http == cyberengage.org TLS sessions that don’t  use Diffie-Hellman tls.cipher == EXISTS! && tls.cipher != DHE Any session where a TLS certificate was present cert.issuer.cn == EXISTS! Match IP in range with port ip.dst == 192.168.1.0/24:443 ---------------------------------------------------------------------------------------------------------- So you’ve fired up Arkime, run a few basic searches, and pulled up some sessions. Cool. But now you’re thinking, “Okay, now what?” Welcome to the real power of Arkime — the Viewer interface . This is where packet forensics turns visual, interactive, and actually fun . 🔓 “Unrolling” a Session — No More Packet-by-Packet Misery Click that little green or blue “+” icon  on any session row. Boom. You just “unrolled” the session. Now you’re looking at: All the SPI (Session Profile Information)  fields Arkime extracted A breakdown of client and server metadata Easy-to-click fields that build your next search for you This is Arkime’s secret sauce. You’re not parsing hex dumps or scrolling through TCP streams — you’re getting parsed, indexed, clickable context . Want to filter all sessions that used the same HTTP User-Agent? Just click it. Want to pivot off a suspicious DNS request? Click it. ---------------------------------------------------------------------------------------------------------- 📦 No PCAP Left Behind (Even If You Delete It) One super cool feature: even if your original .pcap files get deleted or expire from disk, the SPI data stays . That means you can still search for sessions based on: IPs DNS names TLS info HTTP headers And more… …even if the raw packets are long gone. That's thanks to Elasticsearch, which is storing and indexing all that juicy metadata. ---------------------------------------------------------------------------------------------------------- 🎨 Visual Packet Direction — Just Like Wireshark (But Better) If the original PCAP is still available and not locked by permissions, Arkime shows you client-server packet flows using colors: 🔵 Blue = client → server 🔴 Red = server → client This helps you see session direction  at a glance — useful when you're dealing with command-and-control traffic, exfiltration, or handshake behaviors. ---------------------------------------------------------------------------------------------------------- 🧪 Decode & Decompress — On the Fly Did the response come back GZIP'd? No worries. Arkime lets you uncompress  responses directly in the browser — just click the “Uncompress”  button. Same goes for files and images : Click “Show Images & Files” Arkime will display images right inside the UI Not an image? You’ll get a download link , but it forces a .pellet extension to keep things safe — no accidental malware clicks 👀 This makes Arkime way more analyst-friendly. No need to carve files manually — the UI helps surface artifacts you care about. ---------------------------------------------------------------------------------------------------------- 🔗 “Connections” Tab — Visualize Relationships, Not Just Results Here’s where Arkime gets fancy. The Connections tab  lets you build visual relationships  between any two data points. You can pair: ip.src with host.dns ip.src with ip.dst smb.user with smb.fn (username vs. accessed file) Anything you want — as long as it's in the SPI What you get is an interactive graph , showing: Who talked to whom How often Which IPs resolved which domains Which users accessed which files You can hover  to see session counts, bytes, packets... or even drag nodes  to explore visually. It's like building your own mini threat intel map. ---------------------------------------------------------------------------------------------------------- 🔍 The Hunt Tab — Search Inside Packets, Not Just Metadata Most of Arkime’s power is in SPI — but sometimes, you need to dig deeper. That’s where Hunt  comes in. What is a “Hunt”? It’s a background task  that scans the actual packet data (raw PCAP) for matches, not just metadata. Example use cases: Searching inside payloads for malware signatures Finding credentials Looking for file fragments or strings Hunt Options You Can Customize: How many packets per session to search Reassembly (streamed) or per-packet inspection Direction (client→server, server→client, or both) Match method (literal string, regex, etc.) Once the hunt finishes: It adds huntName and huntId to the session SPI Even if the PCAP is deleted later, the match stays searchable ! 💡 Bonus: You can save hunts  and reuse them later  — perfect for recurring analysis like APT TTPs, keyword searches, or IOC sweeps. ---------------------------------------------------------------------------------------------------------- 🧰 Final Thoughts: Why This Matters When you're dealing with mountains of network traffic, the difference between pain and productivity often comes down to how your tools surface data . Arkime isn’t just capturing packets — it’s making them usable . Once you learn the basic search syntax, Arkime becomes insanely powerful. You're no longer swimming in raw packets — you're running smart, targeted queries and extracting meaningful results fast. -----------------------------------------------Dean------------------------------------------------------