The new Alerts V7 API will improve alert management and allow for easier management, consumption, and triage of alerts in the Carbon Black Cloud. Alerts v7 API extends the capabilities with improved methods of retrieving alerts and added functionality to manage alert workflow For more information please review the CBC Alerts API announcement on the Developer Network.
This API introduces a handful of new features including for customers:
- Overhauled alert schema with additional metadata such as process command line and username, parent, and child process information, netconn data, additional device fields, MITRE categorization when available, and more.
- Easier management and consumption of grouped alerts.
- Ability to mark alerts as “in progress”.
- Ability to mark alerts as “true positive” or “false positive”.
- Additional fields available for both searching and faceting.
- Enhanced note management with the ability to add notes to both individual alerts as well as threats (alerts grouped by threat).
For customers with existing integrations, detailed information to move from v6 to v7 API will be published shortly followed by an updated version of the Carbon Black Cloud Python SDK.
Observed Alerts Are Now Observations
Accompanying the V7 Alerts API release, we are also announcing a change to Observed Alerts as they exist today.
Moving forward, Observed Alerts will no longer be present on the alerts page, nor will they be present in the new V7 Alerts API. What was formally categorized as Observed Alerts will now exist solely within the Investigate page as “Observations”.
Customers can find Observations by navigating to the Investigate page and filtering on CB Analytics. The non-alerted Observations present in this section include the Observed Alerts that used to be available on the Alerts page.
Customers leveraging the V6 Alerts API and current Alert Forwarder will be unaffected by this change and will have access to these Observed Alerts until the V6 API is deactivated.
Why are we making this change?
After careful consideration, we have made the decision that Observed Alerts do not belong on the alerts page - due to their informational nature. Observed Alerts were never designed to be actionable nor important enough to warrant a full investigation.
Observed Alerts were events that may have had interesting security context, however, were not deemed to be a threat by Carbon Black. The Observations experience within the Investigate page will be the new home for informational, context enhancing events, just like these.