To view and respond to analysts about alerts covered by MTH on the Alerts page of the Carbon Black Cloud console, perform the following procedure.
Threat hunts query historical data in your environment using new, continuously evolving detections to find potential threats that may have evaded previous detections. This means that the original event time of the behavior deemed to be a likely threat will always be before the alert creation time.
Alert created: Time that the threat hunt identified a past event as a likely threat. This is always more recent than the original event time.
Original event time: Time of the event deemed to be a likely threat.
Procedure
- Select the alert of interest and click the
right-arrow icon at the right of the alert row. - View the MDR and MTH summary and triage data in the right Details pane:
The threat hunt is in one of two states:
Ongoing- The threat hunt is initiated and analysts are actively reviewing hits to determine if there are any indicators of likely threats.Complete- The threat hunt is finished. An email is sent with a summary of the results of the threat hunt, whether or not likely threats were found.
Tip: Click the
Information icon next to the
Threat hunt name for a description of the threat hunt and its primary goal.
- View and respond to MDR analyst notes:
- In the alert row, click MDR Comments, or in the Details pane, scroll down to Alert ID History.
Tip: You can search for only those alerts that have MDR comments by using the search term
mdr_alert_notes_present.
- To respond to the MDR analyst, click Reply to MDR.
Your reply is added to the Alert ID History and a notification is sent to the MDR team.Note: Make sure that you click Reply to MDR before adding your reply. Otherwise, you will be adding an internal note to the alert and the MDR analyst will not be notified.
- In the alert row, click MDR Comments, or in the Details pane, scroll down to Alert ID History.
