Carbon Black Cloud: Alert Triage Page Show "no data available" Error While Triaging an Alert
book
Article ID: 285367
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
Alerts page has one or several alert_ids calling out a file which "attempted to" do something
The application <process_name> attempted to execute fileless content in order to evade inspection. A Deny policy action was applied.
Searching on Alerts page for reason_code and Technique returns results for specified timeframe, including alert_id(s) of interest
reason_code:"1DED7E47-CE4C-448E-AD01-6F4AC3CE7F5D:9230D32E-4018-479E-9F88-2115BC2D181E" AND "cb:defense:tamper:policy_deny"
alert_ids can be searched as well
AND alert_id:(<alert_id_1>) OR <alert_id_2> OR ... <alert_id_n>)
Investigate page shows no results for specified alert_id(s)
alert_id:<alert_id>
Alert Triage page show "no data available" error while triaging an alertÂ
Environment
Carbon Black Cloud Console: July 2021 Release (version 0.67.x) and Higher
Endpoint Standard
Carbon Black Cloud Sensor: 3.6.0.1719 and Higher
Microsoft Windows: All Supported Versions
Cause
Dynamic Rules Engine (DRE) Event which received an alert_id but which is not persisted to the Unified Platform Experience data store for the Investigate page
Resolution
Resolution to show the actual Event data on the Alert Triage and Investigate page is being tracked via DSER-38946
This article will be updated when there is additional information
Additional Information
These blocking Alerts are due to a process attempting to bypass AMSI using a fileless script