There are three types of IDs and it is important to understand how each is used in the application.

Event ID: A specific action that involves up to three different hashes (Parent App, Selected App, Target App) occurring on a single device at a specific time. Event IDs are found in the event details on the Investigate page. Every event sent from the sensor to the console is assigned a unique Event ID.

Alert ID: Similar events taking place within a similar timeframe (+/- 15m) on a single device. Event IDs are grouped into a single Alert ID by Carbon Black analytics. Each alert is assigned a unique Alert ID. This is true even if subsequent alerts have the same hash, action, or device.

Threat ID: Similar alerts tied together across multiple devices and timeframes. Threat IDs can be used to search for related Alert IDs on the Alerts page. If the application’s hash changes, a new Threat ID is assigned.