Carbon Black collects and processes data to give you a better security view of what is happening on your endpoints. By data, I mean a lot of data! Processes, modules loaded, files modification, registry modification, and network traffic.
Carbon Black organizes all of this data so you can quickly make decisions about potential security risks.
With Carbon Black, the data is all yours. You have access to it through the Carbon Black REST API.
Let’s take a look at how we can use some of this data, via the exposed Carbon Black API, to expand on the user interface that Carbon Black provides.
In this example, we are going to be looking at file modifications.
Carbon Black collects all of the file creations, writes, and deletions that occur on your endpoints. We can visualize these modifications in a tree view—similar to what you see when you open Windows Explorer and navigate through the folders and files on your computer.
To be clear, although we can use a tree view, this is a different data set than you get from looking at the file system with Windows Explorer. In that case, you see the files in the context of the directory structure as it exists right now.
With Carbon Black and its historical record, we can view files in the context of the directory structure as it has changed over time.
The .NET Client for Carbon Black API, introduced in November, makes this quite easy to do. At a high level, we just need to query all of the process events for a host and report the file modification events in a tree view. This enables us to create a view of a “virtual” file system that represents the file changes on an endpoint running Carbon Black.
If you would like to follow along at home, this example application is located on the Carbon Black GitHub.
If you run this in your environment, set the Carbon Black server options and endpoint hostname at the top of the window, and click the “Load Sensor File System” button.
You will then see the tree populated in real time as the example application is querying the Carbon Black API for the file modification events. You can then navigate through the directory structure, just as you would with Windows Explorer.
This example application was written with .NET, but it takes advantage of the Carbon Black REST API. A similar application can be written with any other language utilizing the same API calls.
This is just another example of what we can do with the endpoint data that Carbon Black collects. Play with the code. Play with the API. I bet you will discover new ways to leverage Carbon Black to provide better visibility and response capabilities for your organization.