Different event views provide different types of information, and cover different time windows.
The Threat Indicator view shows the most recent or serious potential threats. Therefore, you might want to concentrate on this view first. However, keep in mind that the Threat Indicator view shows only matching events that occur after you enable one or more Indicator Sets.
For an event in the Threat Indicator view, both the Indicator Set and the Rule Name are shown for the ATI that triggered the event. This view shows you the type of threat the rule identified. It also provides a way to identify the source of over-reporting or false positives. In this way, the view can help you decide whether to disable an Indicator Set or create an exception for certain rules within the Indicator Set.
The Threat Report views make use of standard Carbon Black App Control events, including those that were present before you added the enhancement. They can report on matching events for time period that you specify on the Max Age menu, regardless of whether you have any of the Indicator Sets enabled. Like all events views, the maximum time frame for which threat events can be viewed is delimited by the database trimming choices in effect for your Carbon Black App Control database.
The Description
field is also useful for reviewing events. Depending upon the event, the Description
field can identify the file that was written, modified or deleted, the process that acted on the file, and other pertinent data. For example, events generated by the following ATIs might have these descriptions:
Rule Name |
Sample Description |
---|---|
Suspicious executable based on name |
File c:\documents and settings\user\temp\lexplore.exe was modified or deleted. |
Unusual change to startup configuration |
Modification of registry |
Some of the description information is also available in specific fields that you can add to the view.