Carbon Black Cloud: Is all Windows API activity captured?
Article ID: 292598
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Since it is possible for a malware to utilize API calls to perform malicious activity, are all APIs monitored?
Environment
- Carbon Black Cloud(Formerly PSC) Console: All Supported Versions
- Endpoint Standard(Formerly CB Defense)
- Enterprise EDR(Formerly CB ThreatHunter)
- Workload(Formerly CB Defense for VMware + VMware AppDefense)
- Audit and Remediation(Formerly CB LiveOps)
- Microsoft Windows: All Supported Versions
Resolution
Sensor 3.8 and Above
- Enterprise EDR (EEDR) Windows sensors now detect and report associated API information relating to Windows cross process events (previously available in Endpoint Standard-enabled environments only) in Sensor Version(s) 3.8 and above. Users can now search on crossproc_api events within the admin console in EEDR-only environments.
- It is not possible to monitor all APIs in Sensor Version(s) 3.7 and below. The Sensor will monitor all behavior and related TTPs will be captured
Additional Information
Although a subset of monitored APIs can be exposed with search field crossproc_api, API specific monitoring will be avoided going forward in future sensor versions
Feedback
Yes
No
Powered by
