Carbon Black Cloud Enterprise EDR

Query’s integration with Carbon Black Cloud Enterprise EDR allows analysts to do the following:

  • Retrieve user detail information (Email Address, username).
  • Retrieve user device information (IP Address, Hostname).
  • Retrieve malicious file information &  details (file name, hash value).
  • Retrieve security finding information when malicious activity is detected (title, event time, event name, severity, etc).

For example, the analyst could obtain the following context:

  • Searching by the user’s hostname, i.e. hostname equals barbs_computer, the response would contain any malicious activity (Security Event) that has been detected by SentinelOne Singularity Platform.
  • Searching by a device’s IP, i.e. IP equals x.x.x.x , the response would provide all the usernames and hostnames that have been associated with that IP address and malicious activity.

To integrate Carbon Black Cloud Enterprise EDR, see integration documentation here.

The integration will normalize data pulled from Carbon Black Cloud Enterprise EDR into Query’s OCSF based Query Data Model (QDM) which then enables cross-platform joins, compounding the analyst’s ability to investigate. Query normalizes Carbon Black data into QDM User, Device, Malware, and numerous other objects, and Security Finding events. Analysts can see key attributes like hostname, IP Address, state of any malicious activity, DNS hostnames, and subnet in the QDM device, security finding, and observables objects..

With the federated join capabilities, the analyst can now see context on that entity pulled from additional data sources Query is integrated with.

Based upon additional integrations in your environment, Query can show you:

  • Suspected IP addresses joined with Threat Intelligence data.
  • Additional alerts correlated with the user or the device, such as based upon email, web, or file activity.
  • Relevant follow up searches to get vulnerability, malware, and threat intelligence information associated with related entities like files, processes, and applications on that device.