Alerts can come from several sources: Watchlists, USB Device Control, CB Analytics, Host-Based Firewall, Containers Runtime, or Intrusion Detection System (IDS). View alerts from each source by using the Type filter.

Watchlists Alerts

Watchlists provide custom detection and continuous monitoring of your environment for potential threats and suspicious activity.

Receiving alerts from watchlists are optional and are configurable on the Watchlists page when you subscribe to a watchlist or build a custom watchlist.

USB Device Control Alerts

When an end user tries to access a blocked USB device, a deny policy action is triggered, resulting in an alert. USB Device Control alerts cannot be triaged or investigated.

CB Analytics Alerts

CB Analytics alerts are detections generated by the Carbon Black Cloud analytics engine.

Host-Based Firewall Alerts

Host-Based Firewall alerts notify users when one of their defined firewall rules is violated. If the rule is set to Block and Alert on the Policies page, an associated alert is generated.
Note: Host-Based Firewall alerts contain a maximum of 100 observations. Beyond 100, Carbon Black Cloud suppresses additional duplicate observations.

Containers Runtime Alerts

Containers runtime alerts indicate behavior that is suspected as malicious according to the containers runtime policy. These alerts are a result of one of the following:
  • An anomaly in the workload's behavior or a result of behavior that matches a known attack pattern, such as port scanning.
  • An outbound connection to IP addresses with bad reputation.

Intrusion Detection System (IDS) Alerts

IDS monitors network activity against known signatures for potential threats and suspicious activity.

Carbon Black Cloud recommends only selecting the Threat box in the filters panel when reviewing your queue of CB Analytics alerts to help prioritize and focus your analysis.
Note: IDS alerts contain a maximum of 100 observations. Beyond 100, Carbon Black Cloud suppresses additional duplicate observations.

View Specific Alert Types

Use this procedure to view specific alert types.


  1. On the left navigation pane, click Alerts.
  2. In the Filters pane, under Type, select one of the following to display the alerts specific to that type:
    • CB Analytics
    • Watchlists
    • USB Device Control
    • Host-Based Firewall
    • Containers Runtime
    • Intrusion Detection System
    Note: You can select more than one type at a time.
    The respective alerts display in a list to the right of the Filters pane.
  3. Double-click an alert or click the > to the right of the Actions column to view the expanded right-side panel.
  4. For each alert, you can use the drop-down arrow in the upper-right corner of the Alert Details section of the right-panel.
    The options available depend on the alert type. See: Take Action on Alerts.