Carbon Black Cloud: How to Add New Notifications
search cancel

Carbon Black Cloud: How to Add New Notifications

book

Article ID: 287522

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

  • How to add new Notifications to the Carbon Black Cloud Console, to allow email and SIEM Connector alerts to be sent out automatically.

Environment

  • Carbon Black Cloud (Fomerly PSC) Console: All Versions

Resolution

  1. Login to the Carbon Black Cloud Console
  2. Navigate to Settings > Notifications
  3. Select the button in the top left labeled '+ Add Notification'
  4. In the Add Notification pop-up modal window, provide an alert name.
  5. Select one of the three options for when the alert will notify:
    1. Alert crosses a threshold
    2. Alert matches specific TTP
    3. Policy action enforced
  6. Configure the options for the selected Notify when types, outlined below.
  7. Choose whether this is for all policies, or specific policies
  8. Subscribe any Users and/or Connectors that will receive these notifications
  9. If desired, check off the box for 'Send only 1 email notification for each threat type per day' to limit the amount of notifications sent based on threat type to once per day.
Depending on which 'Notify when' type is selected, new options are presented to configure the Notification:
  • Alert crosses a threshold:
    1. Threat and/or Monitored
    2. Alert Priority Score - Anything that is equal to or higher than the selected alert priority will trigger this notification.
  • Alert matches specific TTP
    1. Threat and/or Monitored
    2. TTPs - Start typing to select from a list of TTPs, or click into the search field to see TTPs that can be selected from the dropdown list.  If you select multiple TTPs, they will be logically OR'd
  • Policy action enforced
    1. Deny or Terminate

Additional Information

  • When setting up alerts, avoid overlapping conditions. Otherwise, you may receive multiple alerts for the same event.
  • Once an alert notification has been triggered, the User(s)/Connector(s) added to that notification will receive an email/alert detailing the action applied, the event, the applications involved, and the TTPs.