This section describes how to enable alerts and syslog output for banning events.

Unless banning is disabled entirely, process block events are sent to the Carbon Black EDR server and viewable on the Process Analysis page. (See Process Search and Analysis.)

To configure alerts and syslog output for process blocks, a special Banning Events panel is available on the Threat Intelligence Feeds page. (See Threat Intelligence Feeds.) This is not a feed in the normal sense because the events for blocks are sent to the server regardless of whether the feed is enabled. However, the feed must be enabled if you want to configure notifications for banning events.

The Banning Events feed is available by default and does not require enabling communication with Carbon Black Threat Intel.

Enable Alerts and Syslog Output for Banning Events

Perform the following procedure to enable alerts and syslog output for banning events.

Procedure

  1. On the navigation bar, click Threat Intelligence.
  2. Locate the Banning Events feed.
    The banning events feed
  3. Click Notifications and select the notification types to create: Create Alert and/or Log to Syslog.
  4. To receive email when a block event occurs, select Email Me On Hit.

View Banned Hash Alerts

Perform the following procedure to view banned hash alerts.

Procedure

  1. On the navigation bar, click Triage Alerts.
  2. In the search box for the Feed filter, enter cbbanning and press Enter. If it already appears on the list, click cbbanning.
    In addition to triggering alerts (if enabled), processes that are blocked due to a hash ban generate events that appear on the Process Analysis page.
    For example, if you receive a Process Blocking alert for a process, the Process Analysis page for the parent process appears and includes a blocked event.
    The Process Analysis page displaying a blocked alert