Does Carbon Black Alert on CVE Actions?
Article ID: 287673
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Does Carbon Black Alert on this Action found in this CVE?
Environment
- Carbon Black Cloud Console: Current Version
Resolution
- No, the actions seen by the abuse of a CVE are normally within the normal operations of usage. Creating a new specific rule for each CVE would not be maintainable.
- Potential next steps:
- Check TAU for any reports regarding the CVE. A report on a threat is provided on an as-needed basis based on multiple factors.
- Understand the CVE.
- Understand if/how the common software is used in the network.
- Determine if a custom watchlist is warranted to monitor any misuse of the commonly used software.
- Contact Support to express interest in a particular threat or possibly get more information.
Additional Information
- Carbon Black reviews new or updated CVEs daily and adjusts the behavioral rules as needed to cover possible Tactics, Techniques and Procedures (TTPs).
- Carbon Black has an extensive binary reputation database of malware which we keep up to date on literally a daily basis.
- Example of why creating a specific rule for each CVE would be unmanageable:
If the CVE reports Firefox versions < 82.0.3 (CVE-2020-26950) are vulnerable. Alerts should not occur for each use of Firefox. Instead, the vulnerability requires a certain environmental configuration before or after Firefox start that should alert.
Feedback
Yes
No
Powered by
