Environment
- Carbon Black Cloud Console: All Versions
- Endpoint Standard (was CB Defense)
- Carbon Black Cloud Sensor: 3.0.x.x and Higher
- Microsoft Windows: All Supported Versions
- Apple macOS: All Supported Versions
Objective
Provide guidance on identifying Alerts linked to a decoy or canary file
Resolution
- Go to the Alerts page
- Search for alerts where the reason code is T_CANARY
reason_code:T_CANARY
- Resulting list is Alerts linked to canary files
Additional Notes
- If 'T_CANARY' is listed as the reason for the Alert the file is a canary or decoy file; if not, investigate the Alert further
- Canary or decoy files were introduced with the 3.0.x.x Sensor for Endpoint Standard (was CB Defense) and are included in the Carbon Black Cloud Sensors of higher versions
Related Content