Endpoint Standard: Seemingly unrelated events are grouped together under same Alert ID

search cancel

book

calendar_today

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Seemingly unrelated events are designated the same Alert

The CBC Analytics component will group suspicious activity together if it happened on the device around the same time.

This is done intentionally by design, in order to aid in malware investigations.

The CBC groups events into alerts based on a number of different criteria. Among these criteria are device and proximity in time.
Once an event or group of events is determined to have triggered an alert, the CBC will correlate additional suspicious events on the same device, within a 15 minute time window, to the initial alert grouping.
Grouping by time allows systems administrators to see all suspicious activity within a time window versus generating a lot of alerts that later would have to be manually correlated. For example, rather than having to parse through 5 alerts for suspicious activity threads, all happening within the same time window on the same device, the CBC groups this activity into a single alert making it easier for system administrators to view all the activity that occurred around that time.
When events get grouped into a single alert the primary process of the alert (as well as the reason for the alert and the threat score of the alert) are all associated with the most suspicious/severe action taken during that time period.
Alerts are grouped in the UI by the most severe actor on that device during that time period.
Group alerts may have different TTPs and applications involved based on activity taking place on the device during the time of the alert.

thumb_up Yes

thumb_down No