In addition to the functions available from the Take Action button, there are several other actions you can take on your CB Analytics alerts.

Quarantine a device triggered by an alert

Click Quarantine Device, then Request quarantine.

Quarantining the device prevents suspicious activity and malware from affecting the rest of your network. A device remains in quarantine until it is removed from the quarantined state. It can take several minutes to place a device in quarantine.

To remove a device from quarantine, click Unquarantine device(s).

Add notes

Add notes to allow for easy search and filtering of alerts, as well as a means of communication between console users. See: Add Notes.

Open or close

Edit the workflow of the alert to open or close an alert. See: Editing the Alert Workflow.

Use Live Response

Click Go Live to initiate a Live Response session. Use Live Response to perform remote investigations, contain ongoing attacks, and remediate threats. Users must be assigned a role that has Live Response permissions in the Carbon Black Cloud to use the Live Response functionality. See Use Live Response and User Roles.

Live Response is available on endpoints running a version 3.0 or later sensor and which have been assigned a policy with Live Response enabled. Live Response can be used on devices in bypass mode or quarantine.