You can subscribe to receive notifications about alerts.

Prerequisites

Email addresses must be associated with registered Carbon Black Cloud console users.

Procedure

  1. On the left navigation pane, click Settings > Notifications.
  2. Click Add Notification and populate the required fields.
    1. Select a notification type from the dropdown menu.
      Option Description
      Alert crosses a threshold Notifies you if an alert crosses a specified severity threshold. You can choose to receive notifications for all alerts or specified alert types:
      • CB Analytics
      • Watchlists
      • USB Device Control
      • Containers Runtime
      • Host-Based Firewall
      • Intrusion Detection System (email only)
      Alert includes specific TTPs or MITRE techniques Notifies you if an alert exhibits specific TTPs or MITRE techniques. You can select and search for multiple TTPs or MITRE techniques. If multiple TTPs or MITRE techniques are selected, an OR operator is applied.
      Policy action is applied Notifies you if a policy action is applied. These notifications can be configured based on the action taken by the policy and notify you when an application, process, or network connection is terminated or denied based on policy rules. If you select more than one policy, the Carbon Black Cloud console sends a separate notification for each policy.
      Watchlist gets a hit Notifies you if an IOC is detected in your environment.
      *Carbon Black Managed Detection and Response analyst takes an action
      • Analyst adds a comment to an alert
      • Analyst makes a likely threat determination
      • Analyst makes an unlikely threat determination
      • Analyst completes a threat hunt
      Note: * For Carbon Black Cloud Managed Threat Hunting customers, see Carbon Black MDR Platform User Guide.
      Depending on the notification type you select, you can view additional options under the dropdown menu.
      Note: If you set up both a TTP- or MITRE Techniques-based notification and a Threat Score-based notification, you will receive two emails for the same alert.
    2. Select how to receive the notifications: either by email or API keys. You can search for and select multiple email addresses and / or API keys.
      Note: The API key option has been deprecated.
    3. Optional. To reduce the number of emails that you receive, select the box for Send only 1 email notification for each threat type per day.
  3. To apply the changes, click Add.

Results

The notification you subscribe for displays at the bottom of the Notifications list.

Example

Add a notification example

What to do next

You can change your notification preferences or check the notification history by selecting the Edit or the Clock icon respectively.