Environment
- Carbon Black Cloud (formerly PSC) Console: All Versions
- Endpoint Standard (formerly CB Defense) Sensor: All Versions
- Microsoft Windows: All Supported Versions
- Apple MacOS: All Supported Versions
Symptoms
Seemingly unrelated events are designated the same Alert
Cause
The CBC Analytics component will group suspicious activity together if it happened on the device around the same time.
Resolution
This is done intentionally by design, in order to aid in malware investigations.
Additional Notes
- The CBC groups events into alerts based on a number of different criteria. Among these criteria are device and proximity in time.
- Once an event or group of events is determined to have triggered an alert, the CBC will correlate additional suspicious events on the same device, within a 15 minute time window, to the initial alert grouping.
- Grouping by time allows systems administrators to see all suspicious activity within a time window versus generating a lot of alerts that later would have to be manually correlated. For example, rather than having to parse through 5 alerts for suspicious activity threads, all happening within the same time window on the same device, the CBC groups this activity into a single alert making it easier for system administrators to view all the activity that occurred around that time.
- When events get grouped into a single alert the primary process of the alert (as well as the reason for the alert and the threat score of the alert) are all associated with the most suspicious/severe action taken during that time period.
- Alerts are grouped in the UI by the most severe actor on that device during that time period.
- Group alerts may have different TTPs and applications involved based on activity taking place on the device during the time of the alert.
Related Content
