There are three types of IDs in Carbon Black Cloud. It is important to understand how each ID is used.
Event ID: A specific action that involves up to three different hashes (Parent App, Selected App, and Target App) occurring on a single device at a specific time. Event IDs are added to the Predictive Security Cloud (PSC), but are not shown in Sensor logs. Event IDs are listed as 32 hexadecimal characters in the Event Details pane on the Investigate page. Every event sent from the sensor to the console is assigned a unique Event ID.
Alert ID: Similar events taking place within a similar timeframe (+/- 15m) on a single device. Event IDs are grouped into a single Alert ID by the analytics engine in PSC. This is true even if subsequent alerts have the same hash, action, or device. Alert IDs are added to the PSC, but are not shown in Sensor logs. Each alert is assigned a unique Alert ID. Alert IDs are listed as 8 alphanumeric characters on the Alerts, Alert Triage, and Investigate pages.
Threat ID: Similar alerts tied together across multiple devices and timeframes. Threat IDs are added to the PSC, but are not shown in Sensor logs. Threat IDs can be used to search for related Alert IDs on the Alerts page. If the application’s hash changes, a new Threat ID is assigned. Threat IDs are listed as 32 hexadecimal characters in the URL on the Alert Triage and Investigate pages.
Additional Information
- You can search for Alert ID (
alert_id:
) and Threat ID (threat_id:
) on the Alerts page. - You can search for Event ID (
event_id:
) and Alert ID (alert_id:
) on the Investigate page. - This information is related to CB Analytics Alerts and not Carbon Black Cloud Enterprise EDR Watchlist hits