Environment

• Carbon Black Cloud Console: July 2021 Release (version 0.67.x) and Higher
  • Endpoint Standard
• Carbon Black Cloud Sensor: 3.6.0.1719 and Higher
• Microsoft Windows: All Supported Versions

Symptoms

• Alerts page has one or several alert_ids calling out a file which "attempted to" do something

  The application <process_name> attempted to execute fileless content in order to evade inspection. A Deny policy action was applied.

• Searching on Alerts page for reason_code and Technique returns results for specified timeframe, including alert_id(s) of interest

  reason_code:"1DED7E47-CE4C-448E-AD01-6F4AC3CE7F5D:9230D32E-4018-479E-9F88-2115BC2D181E" AND "cb:defense:tamper:policy_deny"

  • alert_ids can be searched as well

     AND alert_id:(<alert_id_1>) OR <alert_id_2> OR ... <alert_id_n>)

• Investigate page shows no results for specified alert_id(s)

  alert_id:<alert_id>

• Alert Triage page show "no data available" error while triaging an alert 

Cause

Resolution

• Resolution to show the actual Event data on the Alert Triage and Investigate page is being tracked via DSER-38946
  • This article will be updated when there is additional information

Additional Notes

• These blocking Alerts are due to a process attempting to bypass AMSI using a fileless script
• DRE Rule is delivered as part of Dynamic Content Manifests
• Alerts page search can be used with Group Alerts turned off to view all of the individual alert_ids tied to this same rule

  reason_code:"1DED7E47-CE4C-448E-AD01-6F4AC3CE7F5D:9230D32E-4018-479E-9F88-2115BC2D181E" AND "cb:defense:tamper:policy_deny"

• Replace all <items> with actual data, including "<>"

  Example
  <process_name> becomes powershell.exe