If you create a firewall rule that blocks and alerts, any time that rule is triggered, an alert displays on the Alerts page.
Procedure
- In the left navigation pane, click Alerts.
- Set the filter to Host-based Firewall.
- View any detected alerts that were triggered by a Host-based Firewall rule. For example:
Note:
- To reduce noise on the Investigate and Alert Triage pages, Carbon Black can limit the number of events associated with an alert that a specific Host-based Firewall rule generates. This limit is never less than 100 events.
- The severity of the alert is determined based on the value provided when creating the rule. For further information, see Add a Host-based Firewall Rule Group.
- Double-click an alert or click the right arrow to expand the Alert Details pane. The Alert Details pane provides further information about the Host-based Firewall rule that triggered the alert, including the number of times the behavior was observed. You can directly navigate to the rule and policy for any necessary rule parameter changes or review.