Carbon Black Cloud: "Alert" Email notifications seemingly continue to be generated even though all future alerts are auto-dismissed and "suppressed"
book
Article ID: 284867
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
An initial alert is dismissed with the action checked to auto-dismiss all future versions of the alert.
Admin continues to receive similar email notifications with the title "CARBON BLACK CLOUD ALERT" that the action causing the initial alert has occurred again (aka. a policy block for an executable)
Environment
Carbon Black Cloud Server: All versions
Carbon Black Cloud Sensor: All versions
Cause
There are actually two types of email notifications: One notifies of an actual Alert (that can be seen in the console's Alerts page) and 2). an email notifying that a permissions action has occurred, say, to deny/block an application. This second category does not trigger a true alert, but does generate an email notification when a policy action has been applied with the title including the term "ALERT" which can cause confusion. The second setting is in the Settings / Notifications page of the Console.