cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Access VMworld content on-demand if you missed the event. 70+ security focused sessions were offered -- access requires registration.

Endpoint Standard: Event ID vs Alert ID vs Threat ID

Endpoint Standard: Event ID vs Alert ID vs Threat ID

Environment

  • Carbon Black Cloud Console: All Versions
    • Endpoint Standard

Question

What is the difference between EventID, AlertID, and ThreatID?

Answer

ID NameDescription
EventIDOne specific action involving up to three different hashes (Parent App, Selected App, Target App), occurring on a single device at a specific time. Added in the Predictive Security Cloud (PSC), not shown in Sensor logs. Visible in Event details on the Investigate page. The most granular ID.
32 characters, hexadecimal, visible in UI when Event Details are expanded.
AlertIDSimilar Events taking place within a similar timeframe (±15m) on a single Device. EventIDs are grouped into a single AlertID by the analytics engine in the PSC. Added in the Predictive Security Cloud (PSC), not shown in Sensor logs.
8 characters, alphanumeric, visible on Alerts, Alert Triage, and Investigate pages.
ThreatIDSimilar Alerts tied together across multiple Devices and across multiple timeframes. Added in the Predictive Security Cloud (PSC), not shown in Sensor logs. Only seen in the URL bar on the Alert Triage and Investigate pages, can be used to search for related AlertIDs on the Alerts page. The least granular ID.
32 characters, hexadecimal, visible in URL on Alert Triage and Investigate pages.

Additional Notes

  • AlertID ('alert ID:') and ThreatID (plain-text) can be searched for on the Alerts page
  • EventID ('event ID:') and AlertID ('alert ID:') can be searched for on the Investigate page

Was this article helpful? Yes No
100% helpful (2/2)
Article Information
Author:
Creation Date:
‎07-21-2017
Views:
2196