No Events When Selecting an Alert from the Triage Alerts Page
search cancel

No Events When Selecting an Alert from the Triage Alerts Page

book

Article ID: 380456

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

When selecting an alert from triage alerts, the process analysis page displays a tree with no events below. A message of:

No events are available. You may be able to view events from the beginning of the process

Environment

  • Carbon Black EDR Console: All Versions

Cause

Nearest segment is also a watchlist segment

Resolution

This is working as designed.

Triage alerts are based on watchlist or feed hits. For query based hits the process document's basic info is copied and a new segment is created with a watchlist hit timestamp with no events. The application will attempt to use the nearest segment to display events. If the nearest segment is also a watchlist hit the events will be empty. 

To display the events, select the "beginning of the process" hyperlink which will take you to the first segment in time available for the process.