Cb Defense: How is event data categorized, identified, and formed into an Alert?
Cb Defense Web Console: All Versions
Cb Defense Sensor: All Versions
Microsoft Windows: All Supported Versions
Apple Mac OS: All Supported Versions
How is event data categorized, formed into an Alert, and identified?
Threat ID - every Alert will be assigned a Threat ID and there are two factors that will determine if the same Threat ID will be assigned to an Alert:
The applications hash
The application behavior’s (which forms the reason for the alert).
If the applications hash changes, then a new Threat ID will be assigned. Even if the application name is the same.E.g. Different versions of the same application.
Additionally, if the reason for the alert (the associated alert behavior) changes, then a new Threat ID will be generated.
Please note that a change to either of these (hash or behavior) will result in the alerts not being grouped together. They will be considered separate incidents and be reflected as such in the UI.
Alert ID - when a new Alert is generated, it will be be assigned a unique 8 character Alert ID. This is true even if there are subsequent Alerts created with the exact same hash, action, or device.
If an Alert is generated from the event data, then an Alert summary will be available under the Alerts Page. However, you will be required to go to the Investigate page to view all events tied to a specific Alert.
Event ID - every event sent from the sensor to the Dashboard, will be assigned a unique Event ID.
The sensor will upload all event data to the Investigate page of the Cb Defense Web Console. This includes but is not limited to all failed and successful operations which happen at the machine level as well as any operations which are blocked or terminated by the sensor.