Alerts notify you of important activities that are monitored by Carbon Black App Control, such as the appearance or spread of risky files on endpoints.
When conditions specified in an alert are met, notifications can be provided in the following ways:
-
Notification in Console Banner – If any alerts are triggered, indicators appear on all console pages in the upper right above the console menu. Three symbols represent different alert priorities, and the number of triggered alerts in each category is shown to the right of its symbol. See Alert Priority for more on details on priority.
Hovering the mouse cursor over a symbol or the number to its right shows a tooltip that describes either the type of alert (if there is only one in that priority) or its priority. Clicking the symbol or number opens the Alert Instances page if one alert is triggered or the Alerts page filtered to show those alerts if more than one alert is triggered at that priority level.
- Email Notification – Email notification about the event(s) triggering the alert goes to a list of subscribers.
- Alerts Page Row Highlighting – On the Alerts page, the row for each triggered alert is highlighted with the highlight color indicating the alert priority (red for high, orange for medium, yellow for low).
- Home Page and other Dashboards – All currently triggered alerts appear in the Alerts portlet, which is part of the default console Home Page and can be added to other Dashboards. This portlet also uses the color and symbol coding for alert priority.
You can reset an alert when you no longer want to be notified about it. This action removes the warning banners on the Alerts and Home pages (and any dashboard with the Triggered Alerts portlet), and if you have enabled automatic re-sends of alert email, it stops those. If the conditions that triggered the alert reoccur, another alert is triggered. If the conditions that caused the Alert cease to exist, the Alert is auto-reset to a non-triggered state (see How Alerts are Triggered for details).
An Alert History is kept for each alert, and this history is modified as alerts are triggered and reset.
There are two top-level classes of alerts:
- Built-in Alerts – The following table shows the alerts preconfigured and listed by default in the console.
- User-Created Alerts – You can create and edit alerts through the Alerts page; these actions are described in Creating Alerts.
The Alerts page lists all currently available alerts, including built-in and user-created, and both enabled and disabled alerts.
Alert |
Description |
---|---|
Database Limit Alert |
SQL Express database size reaches its specified limit (varies depending upon SQL edition). Only active if you have installed SQL Server Express edition (not a full SQL version). Always enabled (cannot be disabled). |
Backup Missed Alert |
Database backup was scheduled but missed. Enabled by default, but can be disabled. |
Database Verification Failed |
Carbon Black App Control database is corrupt. If triggered, contact VMware Carbon Black Support. Always enabled (cannot be disabled). |
Potential Risk File Detected |
A file on an computer monitored by an agent is considered potentially malicious by Carbon Black File Reputation or another connected security device or service. Disabled by default. |
Malicious File Detected |
A file on a computer monitored by an agent is considered malicious by Carbon Black File Reputation or another connected security device or service. Can be configured to ignore banned or approved files. Disabled by default. |
Elevated Privilege: Install Mode |
A computer remains in local approval mode longer than a specified time period. The default is one hour, but can be modified. No computer should remain in approval mode longer than is necessary to install software. |
Carbon Black File Reputation Unavailable Alert |
Carbon Black File Reputation tasks are not performed during a period of time specified in the alert. The default period is three hours, but you can modify this. Enabled by default if integration with Carbon Black File Reputation is activated (and cannot be disabled). Disabled if Carbon Black File Reputation integration is not activated. Once triggered, the alert remains in effect until all standard Carbon Black File Reputation tasks are restored to normal operation. It can be manually reset, but will trigger again after the specified period if the conditions that caused the alert still exist. The conditions that trigger this alert also add a notification that Carbon Black File Reputation is unavailable to the System Configuration>Licensing page. |
Approval Request Alert |
More than the specified number of approval requests are in New or Open state. Requests older than one week and Closed requests are not considered when triggering this alert. After it is triggered, the alert remains in place until it is manually reset or enough requests are Closed to bring the total below the threshold. Enabled by default. |
Justification Alert |
More than the specified number of justifications are created for files that endpoint users allow to run. Justifications older than one week are not considered when triggering the alert. After it is triggered, the alert remains in place until it is manually reset or enough justifications are Closed to bring the total below the threshold. Enabled by default. |
Updater Modified Alert |
An updater is created, modified or deleted by Carbon Black File Reputation. Always enabled (cannot be disabled). Automatic updater management by Carbon Black File Reputation must be enabled on the Advanced Options tab of the System Configuration page. |
Rapid Config Alert |
Alerts subscribers when a Rapid Config is created, modified or deleted by Carbon Black File Reputation. Disabled by default. Automatic Rapid Config management by Carbon Black File Reputation must be enabled on the Advanced Options tab of the System Configuration page. |
Computer Security Alert |
Suspicious behavior is detected on a computer. Triggering conditions include detection of a computer that is unprotected due to an upgrade failure, agent tampering detected or prevented, and a computer clock out of sync with the Carbon Black App Control Server. Always enabled (cannot be disabled). See Detecting Agent Issues with Computer Security Alerts for more details on these alerts. |
New Certificate Alert |
A file with a certificate for a publisher not yet listed in the console is discovered, or a new certificate is imported directly into the Carbon Black App Control Server. By default, this alert is triggered when a new certificate for any publisher is detected. However, it can be configured to trigger only for new certificates for specific publishers. If set to Specific Publisher, you must provide a string that matches all or part of the name of the publisher for which you want alerts. For example, if you provide “Apple” as the string, it will alert you about new certificates whose publisher is identified as “Apple”, “Apple, Inc.”, “Big Apple, Ltd.”, etc. You can add multiple publishers (or partial names) to the alert. Requires v7.0.1 or later agent. Disabled by default. |
Revoked Certificate Alert |
A certificate known to this Carbon Black App Control Server is revoked. By default, this alert is triggered when a certificate for any publisher is revoked. However, it can be configured to trigger only for specific publishers. If set to Specific Publisher, you must provide a string that matches all or part of the name of the publisher for which you want alerts. For example, if you provide “Apple” as the string, it will alert you about revoked certificates whose publisher is identified as “Apple”, “Apple, Inc.”, “Big Apple, Ltd.”, etc. You can add multiple publishers (or partial names) to the alert. Requires v7.0.1 or later agent. Disabled by default. |
Indicator Set Alert |
A detection indicator set is created, updated, or deleted. |
System Health OER Alert |
The environment for this Carbon Black App Control Server is out of compliance with Carbon Black App Control Operating Environment Requirements, which can indicate immediate or potential performance issues. See VMware Carbon Black App Control Operating Environment Requirements. This alert only appears and can only be triggered if System Health Indicators are enabled on the Advanced tab of the System Configuration page, and this indicator is downloaded to the server. If present, it is always enabled. |
System Health Infrastructure Configuration Alert |
Conditions in your Carbon Black App ControlServer environment trigger a Health Indicator on the Infrastructure Configuration tab of the System Health page. This alert only appears and can only be triggered if System Health Indicators are enabled on the Advanced tab of the System Configuration page, and this indicator is downloaded to the server. If present, it is always enabled. |
[Sample] Windows File Properties |
The Report write (custom rule) occurs and triggers the Windows File Properties Indicator Set for threat detection. Disabled by default. |