Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Cb Defense: How is event data categorized, identified, and formed into an Alert?

Cb Defense: How is event data categorized, identified, and formed into an Alert?


  • Cb Defense Web Console: All Versions
  • Cb Defense Sensor: All Versions
  • Microsoft Windows: All Supported Versions
  • Apple Mac OS: All Supported Versions


How is event data categorized, formed into an Alert, and identified?


Data TypeIdentifierDescription
Group Alerts

Threat ID - every Alert will be assigned a Threat ID and there are two factors that will determine if the same Threat ID will be assigned to an Alert:

  • The applications hash
  • The application behavior’s (which forms the reason for the alert).

If the applications hash changes, then a new Threat ID will be assigned. Even if the application name is the same.E.g. Different versions of the same application.

Additionally, if the reason for the alert (the associated alert behavior) changes, then a new Threat ID will be generated.

Please note that a change to either of these (hash or behavior) will result in the alerts not being grouped together. They will be considered separate incidents and be reflected as such in the UI.


Alert ID - when a new Alert is generated, it will be be assigned a unique 8 character Alert ID. This is true even if there are subsequent Alerts created with the exact same hash, action, or device.

If an Alert is generated from the event data, then an Alert summary will be available under the Alerts Page. However, you will be required to go to the Investigate page to view all events tied to a specific Alert.


Event ID - every event sent from the sensor to the Dashboard, will be assigned a unique Event ID.

The sensor will upload all event data to the Investigate page of the Cb Defense Web Console. This includes but is not limited to all failed and successful operations which happen at the machine level as well as any operations which are blocked or terminated by the sensor.

Related Content

Cb Defense: Severity, Threat Level, Target Value, Malware Types Information

Cb Defense: Alert ID vs. Threat ID

Cb Defense: Data Retention Limits

Cb Defense: How to Dismiss Alerts

Cb Defense: What Does Dismissing a Group of Alerts do?

Cb Defense: Why doesn't POLICY_DENY of KNOWN_MALWARE generate an Alert?

Cb Defense: How To Provide A Malware Sample To Carbon Black Support

Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Creation Date: