Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: How to Add New Notifications

Carbon Black Cloud: How to Add New Notifications

Environment

  • Carbon Black Cloud (Fomerly PSC) Console: All Versions

Objective

  • How to add new Notifications to the Carbon Black Cloud Console, to allow email and SIEM Connector alerts to be sent out automatically.

Resolution

  1. Login to the Carbon Black Cloud Console
  2. Navigate to Settings > Notifications
  3. Select the button in the top left labeled '+ Add Notification'
  4. In the Add Notification pop-up modal window, provide an alert name.
  5. Select one of the three options for when the alert will notify:
    1. Alert crosses a threshold
    2. Alert matches specific TTP
    3. Policy action enforced
  6. Configure the options for the selected Notify when types, outlined below.
  7. Choose whether this is for all policies, or specific policies
  8. Subscribe any Users and/or Connectors that will receive these notifications
  9. If desired, check off the box for 'Send only 1 email notification for each threat type per day' to limit the amount of notifications sent based on threat type to once per day.
Depending on which 'Notify when' type is selected, new options are presented to configure the Notification:
  • Alert crosses a threshold:
    1. Threat and/or Monitored
    2. Alert Priority Score - Anything that is equal to or higher than the selected alert priority will trigger this notification.
  • Alert matches specific TTP
    1. Threat and/or Monitored
    2. TTPs - Start typing to select from a list of TTPs, or click into the search field to see TTPs that can be selected from the dropdown list.  If you select multiple TTPs, they will be logically OR'd
  • Policy action enforced
    1. Deny or Terminate

Additional Notes

  • When setting up alerts, avoid overlapping conditions. Otherwise, you may receive multiple alerts for the same event.
  • Once an alert notification has been triggered, the User(s)/Connector(s) added to that notification will receive an email/alert detailing the action applied, the event, the applications involved, and the TTPs.

Related Content


Was this article helpful? Yes No
50% helpful (1/2)
Article Information
Author:
Creation Date:
‎07-15-2016
Views:
4556
Contributors