CB Response: Tamper events from sensor shutdown are not matching "tampered:true" or "alliance_score_cbtamper:*" on UI
book
Article ID: 290701
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
After stopping sensor service, or uninstalling sensor, no match result found for "tampered:true" or "alliance_score_cbtamper:*". However, tamper alerts show on "triage alert" page on UI or SIEM if feed "cbtamper" has "create alert" enabled.
Environment
CB Response: 6.2.3 and above
Cause
Bug CB-26533.
Resolution
Fix will be released on a future version.
The workaround is to enable alert on Tamper Detection feed (UI >Threat Intelligence page > Tamper Detection > Notifications: create alert).