Alerts can come from several sources: Watchlists, USB Device Control, CB Analytics, Host-Based Firewall, Containers Runtime, or Intrusion Detection System (IDS). View alerts from each source by using the Type filter.

Watchlists Alerts

Watchlists provide custom detection and continuous monitoring of your environment for potential threats and suspicious activity.

Receiving alerts from watchlists are optional and are configurable on the Watchlists page when you subscribe to a watchlist or build a custom watchlist.

Note: For Carbon Black Cloud Managed Threat Hunting customers only, a watchlist alert can display a blue MDR or MDR Threat Hunt badge next to them for a threat that the Carbon Black Managed Detection and Response team discovered. Carbon Black Cloud Managed Threat Hunting customers can click the badge for additional information about the alert.

USB Device Control Alerts

When an end user tries to access a blocked USB device, a deny policy action is triggered, resulting in an alert. USB Device Control alerts cannot be triaged or investigated.

CB Analytics Alerts

CB Analytics alerts are detections that the Carbon Black Cloud analytics engine generates.

Host-Based Firewall Alerts

Host-Based Firewall alerts notify users when a defined firewall rule is violated. If the rule is set to Block and Alert on the Policies page, an associated alert is generated.
Note: Host-Based Firewall alerts contain a maximum of 100 observations. Beyond 100, Carbon Black Cloud suppresses additional duplicate observations.

Containers Runtime Alerts

Containers runtime alerts indicate behavior that is suspected as malicious according to the containers runtime policy. These alerts are a result of one of the following:
  • An anomaly in the workload's behavior or a result of behavior that matches a known attack pattern, such as port scanning.
  • An outbound connection to IP addresses with bad reputation.

Intrusion Detection System (IDS) Alerts

IDS monitors network activity against known signatures for potential threats and suspicious activity.

To help prioritize and focus your analysis, Carbon Black Cloud recommends only selecting the Threat box in the Filters panel when you review your queue of CB Analytics alerts.
Note: IDS alerts contain a maximum of 100 observations. Beyond 100, Carbon Black Cloud suppresses additional duplicate observations.

View Specific Alert Types

Use this procedure to view specific alert types.

Procedure

  1. On the left navigation pane, click Alerts.
  2. In the Filters pane, under Type, select one of the following to display the alerts specific to that type:
    • CB Analytics
    • Watchlists
    • USB Device Control
    • Host-Based Firewall
    • Containers Runtime
    • Intrusion Detection System
    Note: You can select more than one type at a time.
    The respective alerts display in a list to the right of the Filters pane.
  3. Double-click an alert or click the > to the right of the Actions column to view the expanded right-side panel.
  4. For each alert, you can use the drop-down arrow in the upper-right corner of the Alert Details section of the right-panel.
    The options available depend on the alert type. See: Take Action on Alerts.