This topic describes observation types.

You can filter your queries by Type, as described in Searching for Observations. The following table describes these types.

Type Description
Blocked Hash

This observation type only applies to Carbon Black Cloud Enterprise EDR environments. It is composed of observations and alerts that surface when processes load hashes that appear on the hash ban list.

CB Analytics Observations and alerts that were created using Carbon Black Cloud Analytics, which monitors behavioral patterns of processes running on the endpoint. CB Analytics alerts detect attacks but do not prevent them.
Contextual Activity

Contextual Activity are events that were captured by the sensor, but do not match any Carbon Black detections. These events can help to establish context on what else was happening at the endpoint during the same time when potential attack was observed.

When Contextual Activity observations are elevated to alerts, they are re-categorized as CB Analytics observations.

Host-based Firewall Observation that is generated when network traffic matches a Host-based Firewall rule on the endpoint.
Indicator of Attack (IOA)

Observations that arise from endpoint behavior that matches known indicators of attack and are almost always tied to a known MITRE ATT&CK Technique. Indicators of attack are not always malicious in nature, but should be reviewed.

Intrusion Detection System (IDS) Observations and alerts resulting from network traffic that exhibits known malicious or suspicious patterns on a single network flow. In most cases, these behaviors will map to a known MITRE ATT&CK Technique.

Carbon Black monitors for suspicious network traffic against known signatures. When such a signature is found, an IDS observation is generated.

Network Traffic Analysis (NTA) NTA monitors network availability and activity to identify anomalies.
Tamper

Observations and Alerts that capture evidence of processes that are tampering with the Operating System or the Carbon Black Cloud Sensor.

These observations and alerts can result from policy rules that detect and prevent Sensor tampering attempts.

TAU Intelligence

Observations that are generated by specific research findings from the Carbon Black Threat Intelligence Unit (TAU).

This category includes observations and alerts that were created using analysis of behavioral patterns on the sensor. These observations and alerts frequently result in prevention.