logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Cb Defense: How is event data categorized, identified, and formed into an Alert?

Cb Defense: How is event data categorized, identified, and formed into an Alert?

Environment

  • Cb Defense Web Console: All Versions
  • Cb Defense Sensor: All Versions
  • Microsoft Windows: All Supported Versions
  • Apple Mac OS: All Supported Versions

Question

How is event data categorized, formed into an Alert, and identified?

Answer​

Data TypeIdentifierDescription
Group Alerts

Threat ID - every Alert will be assigned a Threat ID and there are two factors that will determine if the same Threat ID will be assigned to an Alert:

  • The applications hash
  • The application behavior’s (which forms the reason for the alert).

If the applications hash changes, then a new Threat ID will be assigned. Even if the application name is the same.E.g. Different versions of the same application.

Additionally, if the reason for the alert (the associated alert behavior) changes, then a new Threat ID will be generated.

Please note that a change to either of these (hash or behavior) will result in the alerts not being grouped together. They will be considered separate incidents and be reflected as such in the UI.

Alerts

Alert ID - when a new Alert is generated, it will be be assigned a unique 8 character Alert ID. This is true even if there are subsequent Alerts created with the exact same hash, action, or device.

If an Alert is generated from the event data, then an Alert summary will be available under the Alerts Page. However, you will be required to go to the Investigate page to view all events tied to a specific Alert.

Events

Event ID - every event sent from the sensor to the Dashboard, will be assigned a unique Event ID.

The sensor will upload all event data to the Investigate page of the Cb Defense Web Console. This includes but is not limited to all failed and successful operations which happen at the machine level as well as any operations which are blocked or terminated by the sensor.

Related Content

Cb Defense: Severity, Threat Level, Target Value, Malware Types Information

Cb Defense: Alert ID vs. Threat ID

Cb Defense: Data Retention Limits

Cb Defense: How to Dismiss Alerts

Cb Defense: What Does Dismissing a Group of Alerts do?

Cb Defense: Why doesn't POLICY_DENY of KNOWN_MALWARE generate an Alert?

Cb Defense: How To Provide A Malware Sample To Carbon Black Support

Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
aglasco
Creation Date:
‎03-08-2018
Views:
3893
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.