The Anomaly Classification feature detects and automatically identifies alerts that are most likely to be relevant. This feature is available for Carbon Black Cloud Enterprise EDR and Carbon Black XDR customers and on certain watchlists.

The system determines the prevalence of the alert by looking at how many times the alert has been seen across all organizations and within your own organization. Prevalence categories include: very common, average, or rare. An alert is more likely to be marked as anomalous if its prevalence is overall rare.

You can use this feature to focus on the alerts that are anomalous and quickly respond to potential issues or threats.

Anomaly Classification Filter

On the Alerts page, you can use the Anomaly Classification filter to filter alerts into three categories:
  • Anomalous: Displays alerts that are anomalous.
  • Not Anomalous: Displays alerts that are not anomalous.
  • Not Classified: Displays alerts that are not classified.
Alerts page with Anomaly Classification filter and three alert categories

An anomalous status displays on the Status column if an alert is anomalous.