We would like to search for Tamper Detection Process Events.
VMWare Carbon Black EDR (Carbon Black Response)
Tamper Detection monitors for attempted changes to the Carbon Black configuration, running sensor process, or unloading of CB drivers. Something of note: Whenever a Sensor diagnostic is run, Tamper Events will be recorded. These Events are given a low "Carbon Black Endpoint Tamper Detection Score", but they are recorded nonetheless.
In order for Tamper Detection to function, the following settings need to be enabled:
- The "Tamper Detection" setting found in Sensors > [Sensor Group Name] > Edit Group > Advanced needs to be set to "Detection." When the "Tamper Protection Level" is set to "Detection" the sensor identifies attempts to modify the sensor configuration or memory and alerts on these attempts. NOTE: All Red Canary hosted Carbon Black Response Servers have this setting configured by default.
- Next, the "Tamper Detection" Threat Intelligence feed needs to be enabled. NOTE: This is also set by default on all Red Canary hosted Carbon Black Response Servers.
To see Tamper Detection Events that have been reported in the Process Search page, click on the "Add Search Terms" link, click on the "Choose Criteria" drop-down, select the "Primary" Category, then select the "Tamper Events" Criteria.
- Finally, make sure the Value is set to "True" and then click "Add Terms"