MTH FAQs

What alerts are covered by MTH?

Alerts generated by the Managed Detection and Response Intelligence watchlist are covered by MTH.

As a MTH customer, you can view all alerts covered by MTH on the Alerts page of the Carbon Black Cloud console.

Hits generated by MDR Intelligence are escalated to alerts by an MDR analyst if they are found to be likely threats. Currently, no other watchlists or alert types are covered by MTH.
There is a blue MDR Threat Hunt badge on these alerts.
You can search for MTH alerts using the term mdr_alert:true.

Managed Threat Hunting and Managed Detection and Response badges on Alerts

What are differences in response actions between MDR and MTH?

MDR is based on Carbon Black Cloud Endpoint Standard, which in addition to hash banning and device quarantine, allows for the implementation of policy blocking rules. These blocking rules allow for a tailor-made option to stop potentially malicious behavior with minimal business operational impact on the asset.

MTH is based on Carbon Black Cloud Enterprise EDR, which allows for the implementation of hash banning and device quarantine.

If you have both Carbon Black Cloud Endpoint Standard and Carbon Black Cloud Enterprise EDR, policy blocking rules can be leveraged.

Will the MDR analysts review other watchlist alerts that the customer creates?

No. The analysts will only review alerts generated by the Managed Detection and Response Intelligence watchlist.

What is the MTH SLO?

There is no SLO with the MTH product. The team operates during US business hours, Monday through Friday. Threat hunts are conducted whenever intelligence produces sufficient information to conduct them.

What is the difference between Alert Determination and MDR Alert Determination?

MDR's determination is separate from a customer's alert determination.
For information about Carbon Black Cloud customer alert determination, see: Add Determination for Alerts.
For MDR threat determination definitions, see MDR Alert Determination.
For further information about MTH alerts, see: Working with MDR and MTH Alerts.

When are you notified by MTH?

MTH customers are notified for likely threats only, and when the threat hunt completes. Customers are contacted through the alert notes and email notifications.

Note: Make sure you have email notifications setup. See Set up MDR Email Notifications.

Can I contact MDR analysts?

You can contact an analyst only after an analyst has left a comment on an alert.

To reply to a comment from an analyst:

On the Alerts page, click the right pane to open the Alert ID History.
Locate the comment and click Reply.

Can I send MTH notifications to my SIEM?

MDR workflow and determination information is included in the Alerts v7 API and Data Forwarder Alerts v2 schema. The Data Forwarder re-forwards an alert if an MDR analyst makes an update.
MDR analyst comments are available in Alert Notes. You can view the alert history if the mdr_alert_notes_present field is true. See Working with MDR and MTH Alerts.

Are MDR analyst actions audited?

MTH Workflow actions are recorded in the Alert History, which can be found on the right pane of the Alerts page for each alert.
MDR containment actions, such as banning hashes, modifying policy, or quarantining assets, are included in the Audit Log.