To configure alert filtering for ITSM and SecOps apps, perform the following procedure.

  • This option is available with the ITSM and SecOps apps when API Ingestion is used. Alert Filtering is not supported for the Data Forwarder Ingestion method.
  • All alerts are supported for ingestion into ServiceNow, depending on which Carbon Black Cloud products are enabled:
    • CB Analytics alerts
    • Device Control alerts
    • Watchlist alerts
    • Container Runtime alerts
    • Host-based Firewall alerts
    • Intrusion Detection System alerts

Continue after Step 3 of Configure ServiceNow Actions (Optional).

Note: To change this configuration after the initial setup, go to VMware Carbon Black Cloud > Configurations and click Alert Filtering.

Prerequisites

Create a ServiceNow Configuration Profile

Procedure

  1. Deselect the checkbox for any alert type that you do not want to ingest from Carbon Black Cloud.
  2. Select the Minimum Severity value from 1-10. The default value is 3 for each alert type.
  3. Optional: For more granular control of alert filtering use the Custom Query field to query for a specific set of alert criteria.
    Note: After you upgrade from 2.1.0 to 3.0.0, three columns will display for Alert Types and Severity. Newly introduced alert types are present in the dropdown list and are available for selection.

What to do next

Configure Incident Creation for ITSM and SecOps Apps (Optional)