Tamper detection alerts are not getting created. 

• Stopping the sensor service manually on the endpoint should send a tamper alert. 

• Carbon Black EDR Console: All Versions

A configuration is not enabled causing the alert to not send. 

Verify the following configurations are set in the EDR console

1. Enable the Feed, alerting and reports
   1. Navigate to the Threat Intelligence page.
   2. Find the Tamper Detection feed and click Enabled
   3. Drop down the Notifications and select "Create Alert"
   4. Click the link to "Threat Reports". Verify all reports are not set to "Ignore" 
2. Enable detection on Sensors
   1. Navigate to the sensors page. 
   2. Select a sensor group and click the settings gear. 
   3. Click "Advanced" to expand the settings. 
   4. Set "Tamper Protection Level" to Detection or Protection. 
   5. Save the group before continuing.
   6. Repeat for each sensor group requiring tamper monitoring. 

• Tamper events can be searched in the process search page using "tampered:true"
• Tamper alerts can be filtered by the Feed facet under the name "cbtamper"