CB ThreatHunter: How to determine if an Event is from CB Defense data
search cancel

CB ThreatHunter: How to determine if an Event is from CB Defense data

book

Article ID: 292443

calendar_today

Updated On:

Products

Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Provide instructions to verify whether an Event came from the CB Defense or CB ThreatHunter data streams

Environment

  • PSC Console: All Versions
    • CB Defense
    • CB ThreatHunter
  • PSC Sensor: 3.3.x.x and Higher
  • Microsoft Windows: All Supported Versions
  • Apple macOS:: All Supported Versions

Resolution

  1. Log into the PSC Console
  2. Go to the Investigate page
  3. Search as desired and whether the data is marked as 'legacy' (CB Defense data stream) 
    device_id:<DeviceID> AND process_name:<ProcessName> AND legacy:true
  4. Repeat the search, but look for non-legacy data (CB ThreatHunter data stream) 
    device_id:<DeviceID> AND process_name:<ProcessName> AND netconn_count:[1 TO *] AND -legacy:true

Additional Information

  • Event data coming from the CB Defense data stream will not show counts for REGMODS, FILEMODS, NETCONNS, MODLOADS, or CHILDPROCS, which is another indicator
  • Event data coming from the CB ThreatHunter data stream will show counts for REGMODS, FILEMODS, NETCONNS, MODLOADS, and CHILDPROCS as appropriate
Powered by Wolken Software