Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Endpoint Standard: Event ID vs Alert ID vs Threat ID

Endpoint Standard: Event ID vs Alert ID vs Threat ID

Environment

  • Carbon Black Cloud Console: All Versions
    • Endpoint Standard

Question

What is the difference between EventID/event_id, AlertID/alert_id, and ThreatID/threat_id?

Answer

ID NameDescription
EventIDOne specific action involving up to three different hashes (Parent App, Selected App, Target App), occurring on a single device at a specific time. Added in the Predictive Security Cloud (PSC), not shown in Sensor logs. Visible in Event details on the Investigate page. The most granular ID.
32 characters, hexadecimal, visible in UI when Event Details are expanded.
AlertIDSimilar Events taking place within a similar timeframe (±15m) on a single Device. EventIDs are grouped into a single AlertID by the analytics engine in the PSC. Added in the Predictive Security Cloud (PSC), not shown in Sensor logs.
8 characters, alphanumeric, visible on Alerts, Alert Triage, and Investigate pages.
ThreatIDSimilar Alerts tied together across multiple Devices and across multiple timeframes. Added in the Predictive Security Cloud (PSC), not shown in Sensor logs. Only seen in the URL bar on the Alert Triage and Investigate pages, can be used to search for related AlertIDs on the Alerts page. The least granular ID.
32 characters, hexadecimal, visible in URL on Alert Triage and Investigate pages.

Additional Notes

  • AlertID ('alert_id:') and ThreatID ('threat_id:') can be searched for on the Alerts page
  • EventID ('event_id:') and AlertID ('alert_id:') can be searched for on the Investigate page
  • This information is related to CB Analytics Alerts and not Enterprise EDR Watchlist hits

Was this article helpful? Yes No
75% helpful (3/4)
Article Information
Author:
Creation Date:
‎07-21-2017
Views:
9674
Contributors