In this section, we will learn about Threat Hunting using Carbon Black Cloud
- Select Alerts section and search for the device (hostname) you have written it down in the previous step
Note: Carbon Black is set to Detection only policy for demonstration purposes. Initial stages of this attack could have been prevented leveraging Carbon Black prevention policies.
2. [optional] You can review the alerts shown in Carbon Black for this device.
3. Priority logic, encourages us to start with Severity 10 alerts. Optionally, you can even use Priority filter and only see alerts with severity 10.
After filtering, you might be left with more than 1 Severity 10 alert. Looking at the Type of alerts, we see CB Analytics and Watchlists. To learn more about the difference: VMware Docs Link.
4. Click on Alert Triage of the alert with the reason "A known Ransomware virus was detected running."
Process Map Review
5. You can go through each node (process) and review the process map.
"A picture is worth a thousand words"
6. For further investigation of this alert, click on Investigate button from this alert.
In investigate, we get complete telemetry data from the device to formulate our next steps. This helps to reduce the mean time to respond to cyber threats by minimizing their dwell time in your environment.
7. Click on the process analysis of the event for further investigation.
8. You can click on parent process nodes until you see outlook.exe and expand other child processes to get a complete picture of the attack.