There are five sensor group configurations that Red Canary recommends for optimal security.
- Tamper Checking
- Data Suppression
- Event Collection
- Server URL
- 3rd-Party Binary Sharing
See below for instructions for each configuration.
With tamper detection enabled, the sensor identifies attempts to modify its configuration and alerts on these attempts. Red Canary recommends all sensor groups have this enabled.
How to enable tamper protection in Carbon Black Response:
Within your Carbon Black Response console, navigate to Sensors.
Select Edit Settings to bring up the Edit Group Settings menu and click Advanced.
Ensure Tamper Detection Level is switched on.
It is possible to configure the Data Suppression Level to limit the amount of data sent from sensor to server. Red Canary does not recommend this. Note: Data suppression may result in false positives in the results of cmdline searches. See “Parent cmdlines Include Suppressed childproc cmdlines” in the Carbon Black Response User Guide for more details.
Red Canary recommends Data Suppression be set to None. To ensure this, within your Carbon Black Response server, navigate to Sensors > Edit Settings > Advanced and set the Data Suppression Level to None.
Similar to Data Suppression, it is possible to configure the types of data the Sensor Group collects. To ensure complete visibility, Red Canary recommends all collection types be enabled.
To confirm this, within your Carbon Black Response server, navigate to Sensors > Edit Settings > Event Collection and ensure all boxes are selected.
When creating a new sensor group in Carbon Black Response it is important that you point the Server URL for all new groups to your default Server URL. The default Server URL for your instance of CbR can be found under the Default Group setting by navigating to Sensors > Edit Settings > General > Server URL:
Carefully copy the Server URL from the Default Group without saving this dialog box. It is important to copy carefully because if this Default Group URL saves incorrectly, you will have to re-deploy sensors in this group.
Paste the URL into the Server URL field for all new and existing sensor groups in order for data to feed correctly to Red Canary.
3rd-Party Binary Sharing
Verify that nothing is selected under Send Events as well as Analyze Unknown Binaries. This ensures that your data stays on your Carbon Black Server only and is not shared with anyone else.
Also, please ensure that Share Default settings are disabled as well.
Go to the HUD dashboard of your CbR server and change the #/hud portion of the URL to #/share. It should look like https://<your-shortcode>-cb.<your-portal-domain>/#/share, scroll to the bottom to the Endpoint Activity Sharing section and toggle all options to Disabled.