Does the EDR Sensor Collect Events from cb.exe?
book
Article ID: 373416
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Carbon Black Hosted EDR (formerly Cb Response Cloud)
Issue/Introduction
Does the sensors user process cb.exe also collect events for itself?
Environment
- Carbon Black EDR Sensor: All Versions
- Microsoft Windows: All Supported Versions
Resolution
The only events that are collected for the cb.exe user process are netconns and childprocs by default.
To collect all events from the cb.exe process:
- Open regedit
- Go to hklm/software/carbonblack/config
- Edit the CollectSensorOperations config (DWORD) and set it to 1
- Restart sensor services
Additional Information
- There are no configurations settings in the console to set this.
- Tracking of cb.exe process can create additional noise and potentially reduce retention.
Feedback
thumb_up
Yes
thumb_down
No