Carbon Black Cloud: How to Find and Identify a Banned Hash in the Console
Article ID: 290339
Updated On:
Products
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Identify data in the Carbon Black Cloud Console that is related to banned hashes
Environment
- Carbon Black Cloud Console: All Versions
- Carbon Black Cloud Windows Sensor: 3.5.0.1278 and higher
- Carbon Black Cloud Linux Sensor: 2.6.0 and higher
Resolution
Below are three examples of how to find data related to banned hashes:
- Navigate to the Alerts page and look for alerts with the text:
- "Process xxxx invoked another process (yyyy). Policy actions applied: Deny"
- In an Enterprise EDR only org, the Alert Type facet category is not shown
- In an Endpoint Standard + Enterprise EDR org, Alerts for Hash Banning will continue to be CB Analytics Alerts
- Alternatively, it is possible to search on the Investigate page for matching events:
- Search in Investigate on the Processes tab for any combination of the following:
- sensor_action:DENY
- sensor_action_reason:POLICY_DENY
- hash:(hash_on_the_company_banned_list)
- Select Process Analysis for any of the matching processes, then search in the Events Table search bar for any combination of the following:
- sensor_action_reason:POLICY_DENY
- filemod_sha256:(hash_on_the_company_banned_list)
- Search in Investigate on the Processes tab for any combination of the following:
- Alerts page search:
- sensor_action:DENY
- ttp:run_banned_list_app
Feedback
Yes
No
Powered by
