Occasional Delays or Missing Alerts Between Carbon Black Cloud Console and S3 Bucket
Article ID: 289916
Updated On:
Products
Carbon Black Cloud Endpoint Standard
Carbon Black Cloud Enterprise EDR
Carbon Black Cloud Audit and Remediation
Carbon Black Cloud Container
Carbon Black Cloud Workload
Carbon Black Cloud Prevention
Carbon Black Cloud Managed Threat Hunting
Carbon Black Cloud Managed Detection and Response
Issue/Introduction
- Occasionally observe Carbon Black Cloud Console Event messages take a few hours before they export to the to the S3 Bucket
- Carbon Black Cloud Console event messages remained up to date at all times
- No event data is lost.
Environment
- Carbon Black Cloud Console: Current Versions
Cause
- The event messages are augmented with additional data and moved to a data stream before the notification can be indexed.
- This is a queued process which may result in a backlogs and occassionally a subsequent delay in the processing.
- If this delay happens, and the record may not make it to the notification index in time before the S3 bucket pulles the data. If this happens, it will be picked up in the next pull.
Resolution
- In most circumstances, data from the Carbon Black Cloud Console forwards to the S3 Bucket very quickly.
- In some instances the data in the S3 Bucket is delayed from being ingested by the resulting SIEM, which is outside the control of Carbon Black.
- Occasional minor delays between Carbon Black Cloud Console and S3 Bucket are normal and expected.
Additional Information
- If the S3 Bucket truly is empty, and no longer receiving Event Log Messages, this is a separate issue and a Support Case should be opened so that we can investigate this issue further
- Before opening a case, please ensure that events are not missing because of S3 Bucket event filtering
Feedback
Yes
No
Powered by
