Endpoint Standard: Event ID vs Alert ID vs Threat ID
Article ID: 291980
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
What is the difference between EventID/event_id, AlertID/alert_id, and ThreatID/threat_id?
Environment
- Carbon Black Cloud Console: All Versions
- Endpoint Standard
Resolution
| ID Name | Description |
|---|---|
| EventID | One specific action involving up to three different hashes (Parent App, Selected App, Target App), occurring on a single device at a specific time. Added in the Predictive Security Cloud (PSC), not shown in Sensor logs. Visible in Event details on the Investigate page. The most granular ID. 32 characters, hexadecimal, visible in UI when Event Details are expanded. |
| AlertID | Similar Events taking place within a similar timeframe (±15m) on a single Device. EventIDs are grouped into a single AlertID by the analytics engine in the PSC. Added in the Predictive Security Cloud (PSC), not shown in Sensor logs. 8 characters, alphanumeric, visible on Alerts, Alert Triage, and Investigate pages. |
| ThreatID | Similar Alerts tied together across multiple Devices and across multiple timeframes. Added in the Predictive Security Cloud (PSC), not shown in Sensor logs. Only seen in the URL bar on the Alert Triage and Investigate pages, can be used to search for related AlertIDs on the Alerts page. The least granular ID. 32 characters, hexadecimal, visible in URL on Alert Triage and Investigate pages. |
Additional Information
- AlertID ('alert_id:') and ThreatID ('threat_id:') can be searched for on the Alerts page
- EventID ('event_id:') and AlertID ('alert_id:') can be searched for on the Investigate page
- This information is related to CB Analytics Alerts and not Enterprise EDR Watchlist hits
Feedback
Yes
No
Powered by
