Carbon Black Cloud: Alert Triage Page Show "no data available" Error While Triaging an Alert
search cancel

Carbon Black Cloud: Alert Triage Page Show "no data available" Error While Triaging an Alert

book

Article ID: 285367

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

  • Alerts page has one or several alert_ids calling out a file which "attempted to" do something 
    The application <process_name> attempted to execute fileless content in order to evade inspection. A Deny policy action was applied.
  • Searching on Alerts page for reason_code and Technique returns results for specified timeframe, including alert_id(s) of interest 
    reason_code:"1DED7E47-CE4C-448E-AD01-6F4AC3CE7F5D:9230D32E-4018-479E-9F88-2115BC2D181E" AND "cb:defense:tamper:policy_deny"
    • alert_ids can be searched as well 
       AND alert_id:(<alert_id_1>) OR <alert_id_2> OR ... <alert_id_n>)
  • Investigate page shows no results for specified alert_id(s) 
    alert_id:<alert_id>
  • Alert Triage page show "no data available" error while triaging an alert 

Environment

  • Carbon Black Cloud Console: July 2021 Release (version 0.67.x) and Higher
    • Endpoint Standard
  • Carbon Black Cloud Sensor: 3.6.0.1719 and Higher
  • Microsoft Windows: All Supported Versions

Cause

Dynamic Rules Engine (DRE) Event which received an alert_id but which is not persisted to the Unified Platform Experience data store for the Investigate page

Resolution

  • Resolution to show the actual Event data on the Alert Triage and Investigate page is being tracked via DSER-38946
    • This article will be updated when there is additional information

Additional Information

  • These blocking Alerts are due to a process attempting to bypass AMSI using a fileless script
  • DRE Rule is delivered as part of Dynamic Content Manifests
  • Alerts page search can be used with Group Alerts turned off to view all of the individual alert_ids tied to this same rule 
    reason_code:"1DED7E47-CE4C-448E-AD01-6F4AC3CE7F5D:9230D32E-4018-479E-9F88-2115BC2D181E" AND "cb:defense:tamper:policy_deny"
  • Replace all <items> with actual data, including "<>" 
    Example
<process_name> becomes powershell.exe
Powered by Wolken Software