This section describes how to create and manage Carbon Black EDR alerts in the Carbon Black EDR console, and how to enable email alerts to report events.

Alerts can be triggered based on watchlist or Carbon Black Threat Intel feed events.

You can create alerts to indicate in the Carbon Black EDR console when suspicious or malicious activity appears on your endpoints. Alerts are available for two types of events:

  • Watchlist hits – Watchlists can be configured to send an alert when conditions matching the watchlist occur. See Watchlists.
  • Threat intelligence feed hits – Threat intelligence feeds can be configured to send an alert when that feed reports an IOC. See Threat Intelligence Feeds.

Triggered alerts are reported in two locations in the Carbon Black EDR console:

  • The Head-UP Display (HUD) page contains a summary that shows the number of unresolved alerts, the number of hosts that have unresolved alerts, and other alert-related data, including the alerts for each host. See Viewing Alert Activity on the HUD Page.
  • The Triage Alerts page contains more details about triggered alerts and provides a filter and search interface to find alerts that match different criteria. It also allows you to manage the alert workflow, marking the status of each alert from its initial triggering to its resolution. See Managing Alerts on the Triage Alerts Page.

You can configure watchlists and threat intelligence feeds to send email alerts when there is a hit on data from a Carbon Black EDR sensor that matches the watchlist or feed. You can enable email alerts in addition to or instead of the Carbon Black EDR console-based alerts. See Enabling Email Alerts for more information.