Endpoint Standard: No entries seen in audit log about which user dismissed alert when filtering with Alert ID
search cancel

Endpoint Standard: No entries seen in audit log about which user dismissed alert when filtering with Alert ID

book

Article ID: 290737

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

  • Alert is classified as Dismissed
  • When looking at audit log to find out which user dismissed the alert, no search results when filtering with Alert ID

Environment

  • Endpoint Standard (formerly CB Defense): All Versions

Cause

  • When dismissing Alerts with Group Alerts enabled or turned on, the dismissal is by Threat ID, not Alert ID
  • All future instances of alerts with the same Threat ID will be dismissed

Resolution

  1. The required Threat ID related to the dismissed alert is currently visible:
  • In the URL of the Alert Triage and Investigate pages
  • In the Console via Developer Tools/Web inspector on the Alerts page
  • Via API when pulling Alert data
  1. Search the audit log using this Threat ID to find out which user dismissed the first alert with Group Alerts enabled or turned on

Additional Information

Alerts are grouped under the same threat_id based on threat_cause_actor_sha256 and reason_code (both of which are most easily seen via DevTools on the Alerts page), and dismissal will therefore impact additional Alerts which are determined to fit under the same threat_id (based on threat_cause_actor_sha256 and reason_code)
Powered by Wolken Software