In this section, we will learn about Threat Hunting using Carbon Black Cloud
1. Search Device
- Select Alerts section and search for the device (hostname) you have written down in the earlier section
2. Review Alerts
Note: Carbon Black is set to Detection only policy for demonstration purposes. Initial stages of this attack could have been prevented leveraging Carbon Black prevention policies.
2. [optional] You can review the alerts shown in Carbon Black for this device.
3. Priority logic, encourages us to start with Severity 10 alerts. Optionally, you can even use Priority filter and only see alerts with severity 10.
3. Alert Triage
After filtering, you might be left with more than 1 Severity 10 alert. Looking at the Type of alerts, we see CB Analytics and Watchlists.
4. Click on the Alert Triage for the alert with the reason "A known Ransomware virus was detected running."
4. Process Map Review
5. You can go through each node (process) and review the process map.
"A picture is worth a thousand words"
5. Investigate Further
6. For further investigation of this alert, click on Investigate button from this alert.
6. Process Analysis
In investigate, we get complete telemetry data from the device to formulate our next steps. This helps to reduce the mean time to respond to cyber threats by minimizing their dwell time in your environment.
7. Click on the process analysis of the event for further investigation.
7. Review Attack
8. You can click on parent process nodes until you see outlook.exe and expand other child processes to get a complete picture of the attack.