Alerts can come from several sources: Watchlists, USB Device Control, CB Analytics, Host-Based Firewall, Containers Runtime, or Intrusion Detection System (IDS). View alerts from each source by using the Type filter.

Watchlists Alerts

Watchlists provide custom detection and continuous monitoring of your environment for potential threats and suspicious activity.

Receiving alerts from watchlists are optional and are configurable on the Watchlists page when you subscribe to a watchlist or build a custom watchlist.

USB Device Control Alerts

When an end user tries to access a blocked USB device, a deny policy action is triggered, resulting in an alert. USB Device Control alerts cannot be triaged or investigated.

CB Analytics Alerts

CB Analytics alerts are detections generated by the Carbon Black Cloud analytics engine.

Host-Based Firewall Alerts

Host-Based Firewall alerts notify users when one of their defined firewall rules is violated. If the rule is set to Block and Alert on the Policies page, an associated alert is generated.
Note: Host-Based Firewall alerts contain a maximum of 100 observations. Beyond 100, Carbon Black Cloud suppresses additional duplicate observations.

Containers Runtime Alerts

Containers runtime alerts indicate behavior that is suspected as malicious according to the containers runtime policy. These alerts are a result of one of the following:
  • An anomaly in the workload's behavior or a result of behavior that matches a known attack pattern, such as port scanning.
  • An outbound connection to IP addresses with bad reputation.

Intrusion Detection System (IDS) Alerts

IDS monitors network activity against known signatures for potential threats and suspicious activity.

We recommend only selecting the Threat box in the filters panel when reviewing your queue of CB Analytics alerts to help prioritize and focus your analysis.

Note: IDS alerts contain a maximum of 100 observations. Beyond 100, Carbon Black Cloud suppresses additional duplicate observations.