Alerts can come from three sources: Watchlists, USB Device Control, or CB Analytics. View alerts from each source by using the Type filter.

Watchlists Alerts

Watchlists provide custom detection and continuous monitoring of your environment for potential threats and suspicious activity.

Receiving alerts from watchlists are optional and are configurable on the Watchlists page when you subscribe to a watchlist or build a custom watchlist.

USB Device Control Alerts

When an end user tries to access a blocked USB device, a deny policy action is triggered, resulting in an alert. USB Device Control alerts cannot be triaged or investigated.

CB Analytics Alerts

CB Analytics alerts are detections generated by the Carbon Black Cloud analytics engine. These alerts are further separated into two categories, indicated by the color of the alert:

• Threat: Coded with the color red, located in the Priority filter. These alerts are highly likely to be malicious activity. All Watchlists alerts are grouped in the Threat category.

• Observed: Coded with the color yellow, located in the Other Activity filter. These alerts are observed behaviors which have not been escalated to a degree which would indicate a threat or require action. Useful for additional context when conducting investigations.

We recommend only selecting the Threat box in the filters panel when reviewing your queue of CB Analytics alerts to help prioritize and focus your analysis.