EDR: Alert Generated for Old Event
search cancel

EDR: Alert Generated for Old Event

book

Article ID: 289443

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • A new alert is generated for an old process
  • Event was never alerted on in the past

Environment

  • EDR Server: All Versions
  • EDR Sensor: All Versions

Cause

The sensor had not checked into the server since the event was originally recorded until recently

Resolution

This behavior is expected. 

Additional Information

  • Event times are based on the local time of the endpoint. If the endpoint's clock is off, this will also occur
  • When a sensor goes offline, it will continue to collect data until a pre-configured size limit. Once that limit is reached, no further data will be collected until other information is offloaded to the EDR server upon checkin.
Powered by Wolken Software