Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: Alert Triage Page Show "no data available" Error While Triaging an Alert

Carbon Black Cloud: Alert Triage Page Show "no data available" Error While Triaging an Alert

Environment

  • Carbon Black Cloud Console: July 2021 Release (version 0.67.x) and Higher
    • Endpoint Standard
  • Carbon Black Cloud Sensor: 3.6.0.1719 and Higher
  • Microsoft Windows: All Supported Versions

Symptoms

  • Alerts page has one or several alert_ids calling out a file which "attempted to" do something
    The application <process_name> attempted to execute fileless content in order to evade inspection. A Deny policy action was applied.
  • Searching on Alerts page for reason_code and Technique returns results for specified timeframe, including alert_id(s) of interest
    reason_code:"1DED7E47-CE4C-448E-AD01-6F4AC3CE7F5D:9230D32E-4018-479E-9F88-2115BC2D181E" AND "cb:defense:tamper:policy_deny"
    • alert_ids can be searched as well
       AND alert_id:(<alert_id_1>) OR <alert_id_2> OR ... <alert_id_n>)
  • Investigate page shows no results for specified alert_id(s)
    alert_id:<alert_id>
  • Alert Triage page show "no data available" error while triaging an alert 

Cause

Dynamic Rules Engine (DRE) Event which received an alert_id but which is not persisted to the Unified Platform Experience data store for the Investigate page

Resolution

  • Resolution to show the actual Event data on the Alert Triage and Investigate page is being tracked via DSER-38946
    • This article will be updated when there is additional information

Additional Notes

  • These blocking Alerts are due to a process attempting to bypass AMSI using a fileless script
  • DRE Rule is delivered as part of Dynamic Content Manifests
  • Alerts page search can be used with Group Alerts turned off to view all of the individual alert_ids tied to this same rule
    reason_code:"1DED7E47-CE4C-448E-AD01-6F4AC3CE7F5D:9230D32E-4018-479E-9F88-2115BC2D181E" AND "cb:defense:tamper:policy_deny"
  • Replace all <items> with actual data, including "<>"
    Example
    <process_name> becomes powershell.exe

Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎09-27-2022
Views:
146
Contributors