On the console Events page, suspicious or threatening activity is reported in several Saved Views, some of which require Indicator Set activation and some of which use other data.

To view threat reports on the Events page, click Reports>Events in the console menu, and click the Threat view on the Saved Views menu.

The following Saved Views are threat-related:

  • Threat Indicators – This view shows threats detected by the enabled ATIs in the Indicator Sets on Carbon Black App Control-managed computers. If no Indicator Sets are enabled, this view is empty. See Reviewing Threat Event Reports.
  • Threat Indicators - Legacy – This view shows threats detected by the ATIs that were installed in releases prior to v7.2.0. If you did not install the Detection Enhancement in a prior release, this view is empty.
  • Threat Report - Suspicious Executable Created by Shell – This view shows events in which certain executable files are created by cmd.exe or powershell.exe in locations such as the system directory, Recycle Bin, or AppData.
  • Threat Report – Suspicious Files by Location – This view shows events in which a file is first seen or executed on any computer, or first appears (unapproved) on at least one computer, in an unusual, suspicious location. An example is unexpected file activity in the Recycle Bin.
  • Threat Report – Suspicious Files by Name –This view shows events in which a file is first seen or executed on any computer, or first appears (unapproved) on at least one computer, with a suspicious name. This is often a name similar to the name of a legitimate Windows file. For example, discovery of a file named svch0st.exe (using zero in place of the lowercase o in svchost.exe) would display in this event view.
  • Threat Report – Suspicious Files by Parent – This view shows events in which an unknown or low prevalence executable file is written by a program that does not normally create such files. Example: an executable file created by Adobe Reader. This event is often indicative of a malformed- or malicious-PDF-style attack.