Endpoint Standard: How to Verify a Decoy/Canary File is involved in an Alert

Endpoint Standard: How to Verify a Decoy/Canary File is involved in an Alert

Environment

  • Carbon Black Cloud Console: All Versions
    • Endpoint Standard (was CB Defense)
  • Carbon Black Cloud Sensor: 3.0.x.x and Higher
  • Microsoft Windows: All Supported Versions
  • Apple macOS: All Supported Versions

Objective

Provide guidance on identifying Alerts linked to a decoy or canary file

Resolution

  1. Go to the Alerts page
  2. Search for alerts where the reason code is T_CANARY
    reason_code:T_CANARY
  3. Resulting list is Alerts linked to canary files

Additional Notes

  • If 'T_CANARY' is listed as the reason for the Alert the file is a canary or decoy file; if not, investigate the Alert further
  • Canary or decoy files were introduced with the 3.0.x.x Sensor for Endpoint Standard (was CB Defense) and are included in the Carbon Black Cloud Sensors of higher versions

Related Content


Was this article helpful? Yes No
50% helpful (1/2)
Article Information
Author:
Creation Date:
‎08-28-2020
Views:
1770
Contributors