Are attempts to tamper with the Sensor (e.g. delete Sensor files, stop services, etc.) reported in the Console as Observations or Alerts or available to be sent to a SIEM (such as Splunk)?

• Carbon Black Cloud Console: All Versions
• Carbon Black Cloud Sensor: All Supported Versions

No, Tamper Protection is silently enforced and does not get reported to the backend, therefore they are not available to be sent to a SIEM.

• Alarms related to tamper attempts are stored locally by the Sensor in C:\ProgramData\CarbonBlack\Logs\SensorAlarms.log, though details are limited to the tampering process and target file.
• Running third-party security applications (e.g. antivirus, real-time scanner, vulnerability scanner, etc.) concurrently with the Sensor without proper Exclusions can trigger Tamper Protection alarms and cause unexpected blocks or interoperability/performance issues.