Endpoint Standard: Alert reason differs between UI and SIEM notification
Article ID: 290552
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
- Alert in the UI reports a different application / reason for the alert from the SIEM event
- Event in the SIEM is an earlier event in the Alert thread
Environment
- Carbon Black Cloud Console: All Versions
- Endpoint Standard: All Versions
- API SIEM Notification enabled
Cause
- The SIEM notification will send an alert as soon as an Alert ID is generated regardless of future events associated with the alert
- The UI will show the event with the highest threat score
Resolution
This behavior is by design. Only one notification will be sent to the SIEM per Alert ID
Feedback
Yes
No
Powered by
