This topic describes communications between customers and MDR analysts in the Carbon Black MDR platform.
MDR Analyst comments are available in the alert notes of the Alert ID History pane on the Alerts page in the Carbon Black Cloud console. See Working with MDR and MTH Alerts.
MDR Analyst Guidance
Carbon Black MDR analysts generally provide guidance on any eligible alert that has an MDR determination of likely threat. Occasionally, MDR analysts provide information on other eligible alerts, such as unlikely threats. See MDR Alert Determination.
MDR analyst guidance generally includes IOCs such as registry edits, hashes, IP addresses, and root causes (if known). MDR analysts may also describe recommended remediation action and applicable policy recommendations.
MDR and MTH customers may also receive:
- Details describing any containment action taken by analysts.
- Follow-up questions from the MDR analyst to better understand the environment, asset, or impact.
Replying to an MDR Analyst Comment
You can contact an analyst only after an analyst has left a comment on an alert. If the MDR Analyst comment is eligible for reply, a Reply to MDR button displays after the comment.
After you reply to the MDR Analyst, the MDR workflow state transitions to Pending MDR response
and the MDR Analyst is notified. If the MDR Analyst replies to your comment, the MDR workflow transitions to Received MDR response
.
The following table describes the requirements for an MDR analyst's comment to be eligible for a reply:
Product | Alert Type | Alert Determination |
---|---|---|
MDR | CB Analytics (Severity 5-10) | Likely threat or Not enough information |
MTH | Watchlist (MDR Intelligence) | Likely threat or Not enough information |