CB Response: Tamper events from sensor shutdown are not matching "tampered:true" or "alliance_score_cbtamper:*" on UI
search cancel

CB Response: Tamper events from sensor shutdown are not matching "tampered:true" or "alliance_score_cbtamper:*" on UI

book

Article ID: 290701

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

After stopping sensor service, or uninstalling sensor, no match result found for "tampered:true" or "alliance_score_cbtamper:*". However, tamper alerts show on "triage alert" page on UI or SIEM if feed "cbtamper" has "create alert" enabled. 

Environment

  • CB Response: 6.2.3 and above

Cause

Bug CB-26533.

Resolution

Fix will be released on a future version. 

The workaround is to enable alert on Tamper Detection feed (UI >Threat Intelligence page > Tamper Detection > Notifications: create alert).