The IDs that may be used to search and investigate security incidents in Carbon Black Cloud are hash, sensor, and alert.
A hash is a unique identifier for a file or process that can be used to track its activity and behavior across endpoints. A hash can be searched in the Investigate page to view its reputation, prevalence, and associated alerts.
A sensor is a unique identifier for an endpoint that has the Carbon Black Cloud agent installed. A sensor can be searched in the Endpoints page to view its status, policy, and associated alerts. A sensor can also be searched in the Investigate page to view its processes, events, and network connections.
An alert is a unique identifier for a security incident that is generated by Carbon Black Cloud based on the policy rules and threat intelligence. An alert can be searched in the Alerts page to view its details, timeline, and remediation actions. An alert can also be searched in the Investigate page to view its associated processes, events, and network connections.
A threat is not a valid ID for searching and investigating security incidents in Carbon Black Cloud. A threat is a term used to describe a malicious actor or activity that poses a risk to the organization. A threat can be detected by Carbon Black Cloud based on the threat intelligence feeds and watchlists, but it is not a unique identifier for a specific incident.
An event is not a valid ID for searching and investigating security incidents in Carbon Black Cloud. An event is a term used to describe a single action or occurrence that is recorded by the Carbon Black Cloud agent on an endpoint. An event can be viewed in the Investigate page as part of a process or alert, but it is not a unique identifier for a specific incident.
A user is not a valid ID for searching and investigating security incidents in Carbon Black Cloud. A user is a term used to describe a person who has access to the Carbon Black Cloud console or API. A user can be searched in the Users page to view their role, permissions, and activity, but they are not directly related to security incidents. References:
VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 2.1: Investigate
VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 2.2: Alerts
VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 2.3: Endpoints
VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 2.4: Threats
VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 2.5: Users
