VMware Carbon Black EDR is an incident response and threat hunting solution designed for Security Operations Center teams with offline environment requirements. VMware Carbon Black EDR continuously records and stores endpoint activity data so security professionals can hunt threats in real time and visualize the complete attack kill chain, using the VMware Carbon Black Cloud’s aggregated threat intelligence.

The VMware Carbon Black EDR Action Bundle installs the following actions:

• VMware Carbon Black EDR - Process Enrichment - submits indicators to VMware Carbon Black EDR to be enriched with related threat intelligence.
• VMware Carbon Black EDR - Export Indicators - exports indicators to the VMware Carbon Black EDR platform.
• VMware Carbon Black EDR - Override Reputation - overrides the reputation for banned applications using a SHA-256 hash or path to a known IT tool application.
• VMware Carbon Black EDR - Manage XDR Network Data Collection - adds approved IP addresses to XDR Network Data Collection at the organization level.

The actions are compatible with following indicator types:

• CIDR Block (Mange XDR Network Data Collection action)
• MD5 (Process Enrichment and Export Indicators actions)
• SHA-256 (Override Reputation action)
• Filename (Override Reputation action)
• File Path (Override Reputation action)
• IP Address (Mange XDR Network Data Collection action)
• IPv6 Address (Mange XDR Network Data Collection action)

The File Hash Enrichment action returns the following enriched system objects:

• Indicators
• Exploit Target
  • Exploit Target Attributes
• Events
  • Event Attributes

Note: This action is intended for use with ThreatQ TDR Orchestrator (TQO). An active TQO license is required for this feature.