Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
How to add new Notifications to the Carbon Black Cloud Console, to allow email and SIEM Connector alerts to be sent out automatically.
Environment
Carbon Black Cloud (Fomerly PSC) Console: All Versions
Resolution
Login to the Carbon Black Cloud Console
Navigate to Settings > Notifications
Select the button in the top left labeled '+ Add Notification'
In the Add Notification pop-up modal window, provide an alert name.
Select one of the three options for when the alert will notify:
Alert crosses a threshold
Alert matches specific TTP
Policy action enforced
Configure the options for the selected Notify when types, outlined below.
Choose whether this is for all policies, or specific policies
Subscribe any Users and/or Connectors that will receive these notifications
If desired, check off the box for 'Send only 1 email notification for each threat type per day' to limit the amount of notifications sent based on threat type to once per day.
Depending on which 'Notify when' type is selected, new options are presented to configure the Notification:
Alert crosses a threshold:
Threat and/or Monitored
Alert Priority Score - Anything that is equal to or higher than the selected alert priority will trigger this notification.
Alert matches specific TTP
Threat and/or Monitored
TTPs - Start typing to select from a list of TTPs, or click into the search field to see TTPs that can be selected from the dropdown list. If you select multiple TTPs, they will be logically OR'd
Policy action enforced
Deny or Terminate
Additional Information
When setting up alerts, avoid overlapping conditions. Otherwise, you may receive multiple alerts for the same event.
Once an alert notification has been triggered, the User(s)/Connector(s) added to that notification will receive an email/alert detailing the action applied, the event, the applications involved, and the TTPs.