With Carbon Black on our endpoints, we were able to detect and block bit coin mining software that wasn't even detected my our AV software. Using a score from Virus Total threat feed, Carbon Black alerted us of the malware. Carbon Black showed us in detail how the exe was spawned, which processes were involved and that it was communicating to an external IP address. Through the carbon black console, we were able to connect to the machine and delete the exe. Then we set the file (hash) to be banned, this way any endpoints in the future would not be able to run this process, keeping our Enterprise free of these resource stealing bit mining. This is just one real world example of how Carbon Black has paid for itself in our environment.
There isnt too much to dislike but if I had to pick it would probably be the console, it could be a little more user intuitive but we are sending our CB data to Splunk, so we use the console minimally.
Test CB out in a POC and you are sure to realize its ROI.
Threat hunting and detection and banning hashes are all uses of CB.