Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Cb Defense: Seemingly unrelated events are grouped together under same Alert ID

Cb Defense: Seemingly unrelated events are grouped together under same Alert ID

Environment

  • Cb Defense Web Console: All Versions

  • Cb Defense Sensor: All Versions

  • Microsoft Windows: All Supported Versions

  • Apple MacOS: All Supported Versions

 

Symptoms

  • When reviewing alerts in the alerts page of the CbD console, seemingly unrelated events, for example, different executables, process threads, Tactics, Techniques and Procedures (TTPs) are designated the same AlertID

 

Cause

Cb Defense Analytics will group suspicious activity on the same device around the same time together to aid in an investigation.

 

Resolution

Working as designed.

 

Additional Notes

  • Grouping by time allows systems administrators to see all suspicious activity within a time window versus generating a lot of alerts that later would have to be manually correlated,  for example, rather than having to parse through 5 alerts for suspicious activity threads, all happening within the same time window on the same device, Cb Defense groups this activity into a single alert making it easier for system administrators to view the activity at the same time.
  • Cb Defense groups events into alerts based on a number of different criteria, among these criteria are device and proximity in time. Once an event or group of events is determined to have triggered an alert, Cb Defense will correlate additional suspicious events on the same device, within a 15 minute time window, to the initial alert grouping.
  • When events get grouped into a single alert the primary process of the alert (as well as the reason for the alert and the threat score of the alert) are all associated with the most suspicious/severe action taken during that time period.
  • Alerts are grouped in the UI by the most severe actor on that device during that time period.
  • Group alerts may have different TTPs and applications involved based on activity taking place on the device during the time of the alert.

 

Related Content

Cb Defense: How is event data categorized, identified, and formed into an Alert?

Cb Defense: How to Dismiss Alerts

Cb Defense: What Does Dismissing a Group of Alerts do?

Cb Defense: Alert ID vs. Threat ID

Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎08-07-2018
Views:
1011