Endpoint Standard: Policy Block Seen in Observations but Not Showing as Alert
Article ID: 290275
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
- An Observation on the Investigate page is assigned a Policy Deny or Policy Terminate tag.
- No Alert tag is assigned to the Observation.
- The Policy Deny or Terminate action was triggered by an existing Blocking & Isolation rule.
- Observation is not a Deny Policy Action on a process requesting the content of lsass.exe. For this type of Observation, see this article.
Environment
- Carbon Black Cloud Console: All Versions
- Carbon Black Cloud Sensor: All Supported Versions
Cause
The root cause of this issue is being investigated by Carbon Black engineers under the scope of DSER-50396.
Resolution
Open a support case with Carbon Black Technical Support, providing the Observation ID of the block event.
Feedback
Yes
No
Powered by
