Alerts can come from three sources: Watchlists, USB Device Control, or CB Analytics. View alerts from each source by using the Type filter.

Watchlists Alerts

Watchlists provide custom detection and continuous monitoring of your environment for potential threats and suspicious activity.

Receiving alerts from watchlists are optional and are configurable on the Watchlists page when you subscribe to a watchlist or build a custom watchlist.

USB Device Control Alerts

When an end user tries to access a blocked USB device, a deny policy action is triggered, resulting in an alert. USB Device Control alerts cannot be triaged or investigated.

CB Analytics Alerts

CB Analytics alerts are detections generated by the Carbon Black Cloud analytics engine. These alerts are further separated into two categories, indicated by the color of the alert:

  • Threat: Coded with the color red, located in the Priority filter. These alerts are highly likely to be malicious activity. All Watchlists alerts are grouped in the Threat category.

  • Observed: Coded with the color yellow, located in the Other Activity filter. These alerts are observed behaviors which have not been escalated to a degree which would indicate a threat or require action. Useful for additional context when conducting investigations.

We recommend only selecting the Threat box in the filters panel when reviewing your queue of CB Analytics alerts to help prioritize and focus your analysis.

View Specific Alert Types

Use this procedure to view specific Alert types.

Procedure

  1. Click Alerts in the left navigation pane.
  2. In the Filters pane, under Type, select one of the following to display the Alerts specific to that type:
    • CB Analytics
    • Watchlists
    • USB Device Control
    Note: You can select more than one type at a time.
    The respective alerts display in a list to the right of the Filters pane.
  3. Double-click an alert or click the > to the right of the Actions column to view the expanded right-side panel. In this panel, view device details like vendor ID, product ID, and serial number
  4. For each Alert, you can use the drop-down arrow in the upper-right corner of the Alert Details section of the right-panel.
    The options available depend on the Alert Type. See: Take Action on Alerts