You can change the status of individual alerts or all alerts in the current view on the Triage Alerts page in the Carbon Black EDR console.

Changing alert status is strictly for alert management purposes. It helps you organize alerts that need attention, are being investigated, have been resolved, or are false positives.

Change an alert status to indicate what you are doing or have done based on your review of an alert. An alert status has no effect on the actual issue that caused the alert.

In the Alerts table on the Triage Alerts page, the far-right column includes an icon representing the current alert status and a drop-down list for changing that status.

Change Status for Multiple Alerts

Perform the following procedure to change the status of all alerts matching a search and/or filter on the Triage Alerts page in the Carbon Black EDR console.

Procedure

  1. On the navigation bar, click Triage Alerts.
  2. On the Triage Alerts page, enter the search string and/or filter criteria for alerts to change.
  3. From the Actions menu, select the Mark all menu option for the status to assign.
  4. Click OK in the confirmation window to change the status of all of the alerts on the page.
    Note: When using the Mark all commands, be sure that you want to change all of the alerts matching the current filter and search, including those alerts that are on pages that are not displayed. After you change the status, there is no “undo” command. Be especially careful about changing alert status when the view is unfiltered (showing all alerts).

Change Status for a Single Alert

Perform the following procedure to change the status of a single alert on the Triage Alerts page in the Carbon Black EDR console.

Procedure

  1. On the navigation bar, click Triage Alerts.
  2. In the Alerts table, select the check box to the left of the alert that has a status that you want to change.
  3. From the Actions drop-down list, select the appropriate option for the status you want to assign.
  4. Click OK in the confirmation window to change the status of the selected alert.
    Note: Changed alerts will disappear from the current view if you have filtered the page for a different status.