Carbon Black Cloud Host-based Firewall events display on the Investigate page. All firewall events are Type netconn.

Procedure

  1. In the left navigation pane, click Investigate.
  2. Click the Observations tab.
  3. Build a search query using the following search string: 
    event_type:NETWORK AND firewall
  4. View events that were initiated by a firewall rule; for example:
    Example image of an event initiated by a firewall rule
    Note: To reduce noise on the Investigate and Alert Triage pages, Carbon Black can limit the number of events associated with an alert that a specific Host-based Firewall rule generates. This limit will never be less than 100 events.