You can enable Carbon Black EDR console alerts for any watchlist or threat intelligence feed. This topic explains how to enable console alerts.

Consider how many hits you are likely to receive when you enable alerts. Some watchlists or feeds might generate too many hits to be useful, making it more difficult to identify significant alerts. Ideally, an alert should get your attention for issues that you need to follow up on. No alerts are enabled by default.

Enable Console Alerts for a Watchlist

Perform the following procedure to enable Carbon Black EDR console alerts for a watchlist.

Watchlists are user-created, custom, saved searches that are based on process search, binary search, or feed results. You can use watchlists to monitor endpoints for detected IOCs. You can also select the most important watchlists to monitor and add console alerts. Then, you can then view and manage these key watchlist and feed hits in the Triage Alerts page.

Procedure

  1. On the navigation bar, click Watchlists.
  2. In the left panel of the Watchlists page, select the watchlist for which to create an alert. Use the Search box at the top of the panel to locate a watchlist that does not immediately display.
  3. In the right panel, click the Enable button if the watchlist is disabled, and then select the Create Alert check box.
    The watchlist will begin generating alerts.

Enable or Disable Console Alerts for a Threat Intelligence Feed

Adding a Carbon Black EDR console alert to a feed allows you to highlight hits matching reported malware from a specific source. You can then view and manage high-importance feed and watchlist hits on the Triage Alerts page.

Threat intelligence feeds provide information that helps you identify malware and its sources. Carbon Black EDR integrates with third-party and internal feeds (such as the Carbon Black Threat Intel Reputation and Carbon Black EDR Tamper Detection) that identify hosts on which tamper attempts have occurred.

Prerequisites

Important: Make sure you understand the volume of reports that you will receive from any feed before enabling alerts for it. Be sure to read the description of a feed on the Threat Intelligence Feeds page. Some feeds include a specific recommendation not to enable alerts, because of the report volume or percentage of false positives that can occur.

Procedure

  1. On the navigation bar, click Threat Intelligence.
  2. Click the Notifications drop-down menu.
    • Select the Create Alert check box for each feed panel to enable console alerts.
    • Deselect the Create Alert check box for each feed panel to disable console alerts.