Environment
- Carbon Black Cloud (Formerly PSC) Console: All Versions
Objective
How to dismiss alerts for different purposes and how to check if an alert is dismissed properly.
There are 2 options for dismissing alerts:
1. Dismiss a single alert (to only dismiss a single incident on a single device, and not affect future similar incidents)
2. Dismiss all similar alerts in the future (to dismiss all similar current and future incidents from any devices in the org)
Resolution
Dismiss A Single Alert
- Log in to the Carbon Black Cloud Console and go to the "Alerts" page
- Switch the "Group Alerts" toggle OFF, then click on the drop down button of the target alert and click on "Dismiss"
- When the Dismiss Activity confirmation window pops up, confirm the information and leave comments if needed, then click "DISMISS"
- The dismissed alert should now be grayed-out on the Alerts page.
Dismiss Grouped Alerts Across All Devices
- Log in to the Carbon Black Cloud Console and go to the "Alerts" page
- Switch the "Group Alerts" toggle ON, then click on the drop down button of the target alert and click on "Dismiss on all devices"
- When the Dismiss Activity confirmation window pops up, confirm the information and leave comments if needed, making sure "Dismiss future instances of this alert on all devices in all policies" is checked and click "DISMISS"
- Similar alerts with same Threat ID should all be dismissed and grayed-out on the Alerts page. See Cb Defense: Alert ID vs. Threat ID for additional information.
Check if an alert is dismissed properly
- Log in to the Carbon Black Cloud Console and go to the Alerts page, then find the target Alert you want to check.
- Click on the Alert Triage button
- Scroll down to find the "ALERT NOTES & TAGS" section, and check the latest dismissing event.
- If the Message in the result shows "Dismissed alert xxxxxxxxxxx on device xxxxxxx......", this indicates a single incident was dismissed on a single device.
- If the Message in the result shows "Dismissed x alert in threat xxxxxxxxxxxx on all devices, as well as all future occurrences......", this indicates all similar threats under same ThreatID have been dismissed.
- To also determine if the dismissal was applied to future instances from the description of that action.
Additional Notes
- There is no way to dismiss an alert with "Group Alerts" OFF and "Dismiss future instances of this alert on all devices in all policies" checked, it will not affect any future new instances
- Dismissing alerts is not instantaneous; there is a time delay of less than five minutes
- Notifications will not be sent for any new Alerts added to a dismissed group of alerts as the dismissal supersedes Notifications
- Dismissal of an individual Alert is by alert_id
- Dismissal of grouped Alerts is by threat_id
- It is not possible to dismiss an Event not tied to an alert_id
Related Content
Endpoint Standard: Event ID vs Alert ID vs Threat ID
Endpoint Standard: How is event data categorized, and formed into an Alert?
Endpoint Standard: How is event data categorized, and formed into an Alert?
Thank you for your feedback.
Your feedback has been submitted and will be reviewed.