Using Carbon Black Response

Carbon Black (Cb) Response collects two types of IP address information from endpoints:

  1. IP and MAC addresses associated with network adapters
  2. The routable IP address from which the endpoint communicated during check-in

IP and MAC addresses associated with network adapters

When an endpoint checks in, it sends health and configuration-related information to the Cb Response server. Included in this information is a list of IP and MAC addresses associated with active network adapters. 

This information can be viewed by going to the sensor detail page in Cb Response, searching for the hostname, and viewing the sensor details page:

Note that only the most recently received information will be reflected in Cb Response.

Routable IP addresses

When an endpoint submits process data to the Cb Response server, the server records the routable IP address from which the communication occurred. Because endpoints may be mobile, and because the routable IP address used to communicate with the server may change more frequently than the network adapter IP address, Cb Response associates this information with each process. 

From the sensor detail page in Cb Response, you can click through to view related processes:

You can then view the routable IP address associated with the endpoint by analyzing any of the endpoint's process details:

Did this answer your question?