Managing Alerts on the Triage Alerts Page

This section describes how to manage alerts on the Triage Alerts page in the Carbon Black EDRconsole.

When an alert is received that indicates suspicious or malicious activity, incident responders must:

Determine the seriousness of the alert.
Determine whether the alert indicates a sufficiently severe threat.
Find a way to resolve a serious threat.

These tasks might involve using the following Carbon Black EDR features:

Endpoint Isolation; see Isolating an Endpoint.
Live Response; see Using Live Response.
Banning; see Banning Process Hashes.

It might also require using other tools.

Given the high volume of threat reports, it is critical to prioritize, investigate, and keep track of alert statuses. After an alert is resolved, it should be removed from the list of threats requiring attention so that ongoing threats can be addressed.

The Triage Alerts page provides features for alert management. It includes search and filtering capabilities for locating specific alerts or alert types. It also allows you change alert status.

On the navigation bar, click Triage Alerts.

Note: You also can navigate to the Triage Alerts page from the HUD page by clicking View all in the Unresolved Alerts panel. See Viewing Alert Activity on the HUD Page.

The Triage Alerts page is divided into three major sections:

The top section includes the Search field and button, Add Criteria button, Reset search items button, and Actions menu.
The middle section contains filters that are category-specific lists (Status, Username, and so on). These filters show the percentage of alerts that match different values in each category, and allow you to filter the view to show alerts that match values.
The bottom section contains the Alerts table, which contains details for alerts that match the search criteria that is entered in the first two sections.