Endpoint Standard: How to Verify a Decoy/Canary File is involved in an Alert
search cancel

Endpoint Standard: How to Verify a Decoy/Canary File is involved in an Alert

book

Article ID: 290539

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Provide guidance on identifying Alerts linked to a decoy or canary file

Environment

  • Carbon Black Cloud Console: All Versions
    • Endpoint Standard (was CB Defense)
  • Carbon Black Cloud Sensor: 3.0.x.x and Higher
  • Microsoft Windows: All Supported Versions
  • Apple macOS: All Supported Versions

Resolution

  1. Go to the Alerts page
  2. Search for alerts where the reason code is T_CANARY 
    reason_code:T_CANARY
  3. Resulting list is Alerts linked to canary files

Additional Information

  • If 'T_CANARY' is listed as the reason for the Alert the file is a canary or decoy file; if not, investigate the Alert further
  • Canary or decoy files were introduced with the 3.0.x.x Sensor for Endpoint Standard (was CB Defense) and are included in the Carbon Black Cloud Sensors of higher versions
Powered by Wolken Software