There are four triggering criteria that can be enabled in the Computer Security Alert - by default, all are enabled when you enable the alert itself.
The criteria that triggers a security alert is identified in Summary
field on the Alert Instance page, and in the email notification (if enabled) sent due to the alert.
The criteria for triggering a Security Alert are:
- Computer not protected – This condition occurs if an agent upgrade fails. It means that the agent is not running on the identified computer, and so the computer is not protected by Carbon Black App Control (the Connection status indicator for this computer on the Computers page displays in red). Restoring the agent to proper operation automatically resets the alert.
- Agent tampering detected – If agent tamper protection is accidentally disabled through the console and a user on a computer running the agent modifies the agent folder, the Computer Security Alert is trigged with the summary description "Agent tampering detected". As soon as an administrator re-enables the tamper protection for the agent, this alert is automatically reset.
- Agent tampering prevented – If a user on an agent-managed computer attempts to tamper with the agent and fails, the Computer Security Alert is triggered with the summary description "Agent tampering prevented". An example of this might be a user attempting to copy files to the agent folder (Bit9\Parity Agent) but failing because of tamper protection. Another example might be unauthorized attempts to run special agent management commands (that is, without a correct password). When this condition triggers the alert, the alert must be reset manually.
- Computer clock out of sync – One way to attempt to run malware or other unauthorized files without detection is to change the clock on the targeted system to create an invalid timestamp. The agent still detects and reports a file execution under these circumstances, but generates a Computer Security Alert with the summary description "Computer clock out of sync" as soon as the discrepancy between the Carbon Black App Control Server clock and the agent clock is detected. Correcting the system time on the computer that is the source of the unauthorized activity allows this alert to be reset by the next event received by the Carbon Black App Control Server.
When a Computer Security Alert is enabled, any of the enabled criteria on any computer triggers it. While the alert is triggered, additional cases of the triggering condition on the same computer are recorded in the history, but do not create another alert instance. If the same computer reports an event that meets a different triggering condition, another instance is displayed. For example, two failed attempts at tampering do not create two alert instances unless the alert is reset between them. However, an attempt to tamper followed by a clock out of sync on the same computer does create two different alert instances.
As with all alerts, each instance results in an email notification, if notification is enabled and properly configured. Both the Alert Instance displayed in the console and the email notification of the alert contain the security event description, the name of the computer on which it happened, and the time of triggered instance.