Endpoint Standard: Event ID vs Alert ID vs Threat ID
Carbon Black Cloud Console: All Versions
What is the difference between EventID/event_id, AlertID/alert_id, and ThreatID/threat_id?
One specific action involving up to three different hashes (Parent App, Selected App, Target App), occurring on a single device at a specific time. Added in the Predictive Security Cloud (PSC), not shown in Sensor logs. Visible in Event details on the Investigate page. The most granular ID. 32 characters, hexadecimal, visible in UI when Event Details are expanded.
Similar Events taking place within a similar timeframe (±15m) on a single Device. EventIDs are grouped into a single AlertID by the analytics engine in the PSC. Added in the Predictive Security Cloud (PSC), not shown in Sensor logs. 8 characters, alphanumeric, visible on Alerts, Alert Triage, and Investigate pages.
Similar Alerts tied together across multiple Devices and across multiple timeframes. Added in the Predictive Security Cloud (PSC), not shown in Sensor logs. Only seen in the URL bar on the Alert Triage and Investigate pages, can be used to search for related AlertIDs on the Alerts page. The least granular ID. 32 characters, hexadecimal, visible in URL on Alert Triage and Investigate pages.
AlertID ('alert_id:') and ThreatID ('threat_id:') can be searched for on the Alerts page
EventID ('event_id:') and AlertID ('alert_id:') can be searched for on the Investigate page
This information is related to CB Analytics Alerts and not Enterprise EDR Watchlist hits