Carbon Black Cloud: Alert searches are not reporting watchlist-generated alerts when the field_name is not specified.
search cancel

Carbon Black Cloud: Alert searches are not reporting watchlist-generated alerts when the field_name is not specified.

book

Article ID: 288252

calendar_today

Updated On:

Products

Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

  1. Go to the Alerts page
  2. search for "device_name:Mylaptop1" - this works.. both watchlist and CB Analytics alerts are reported.
  3. now search for just "Mylaptop1" - this fails and ONLY returns CB Analytics alerts
  4. device_name: Mylaptop1   <-- this works
Mylaptop1                <-- this will not return watchlist-generated alerts for the machine Mylaptop1
      The problem occurs with other fields as well and is not limited to the "device_name" field. For instance, the "watchlist_name" field also exhibits the same symptoms
 

Environment

  • CBC Console:  .75.0
  • CBC Sensors:   All versions

Cause

Now under investigation. This article will flip to public once further confirmed by Engineering.

Resolution

DSER-39198 UI issue resolved March 24th, 2022

Additional Information

Issue first reported on Monday, March 7th 2022
Powered by Wolken Software