Carbon Black Cloud: How to Tell What Policy Changes Have Been Made
search cancel

Carbon Black Cloud: How to Tell What Policy Changes Have Been Made

book

Article ID: 291752

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

Confirm policy change details from the Carbon Black Cloud (CBC) Console

Environment

  • Carbon Black Cloud Console: All Versions

Resolution

  1. Go to Settings > Audit Log
  2. Select Verbose (shows both Standard and Verbose entries)
  3. Select desired time range
  4. Search for changes in general OR for specific Policy name 
    General Search
description:(Policy OR "was modified" OR "modify policy" OR "created") AND NOT description:(downloaded OR "for device" OR "job request" OR update OR note OR "changed device" OR "LiveResponse" OR "watchlist" OR "notification" OR "report")

Search for Specific Policy
description:("<policy_name>" OR <policy_id> OR Policy OR "was modified" OR "modify policy" OR "created") AND NOT description:(downloaded OR "for device" OR "job request" OR update OR note OR "changed device" OR "LiveResponse" OR "watchlist" OR "notification" OR "report")

Additional Information

  • Replace <policy_name> and/or <policy_id> with desired name/id of Policy, including <> 
    Example
Desired Policy name: Standard Workstations
Desired Policy ID: 123456

"<policy_name>" => "Standard Workstations"
<policy_id> => 123456
  • Each Policy change will be reflected by three or four distinct log entries with matching timestamps
    • Two or three Standard entries
      • One noting the request to modify the Policy 
        Request received to modify policy <policy_name> (ID: <policy_id>)
      • One noting the name of the Policy 
        Policy <policy_name> was modified
      • One noting the successful change 
        Policy <policy_name> (ID: <policy_id>) is updated successfully
    • One Verbose entry noting the changes made 
      Tab: Settings (Policy) Action: Policy Settings Changed
  • The Verbose entry will need to be expanded (chevron to the left), but will show all Policy rules being deleted and recreated as well as individual settings changes
    • Where there are matching Deleted and Created entries for a given Rule (by path / reputation, operation attempt, and action) there was no change
    • Where there is a Created entry for a given Rule (by path / reputation, operation attempt, and action), the rule was added as part of the changes
    • Where there is a Deleted entry for a given Rule (by path / reputation, operation attempt, and action), the rule was removed as part of the changes
Powered by Wolken Software