Environment
- Carbon Black Cloud Console: Feb 2020 - Oct 2020 releases (0.52.x - 0.59.x backend)
- Endpoint Standard (was CB Defense)
- Enterprise EDR (was CB ThreatHunter)
Scenario
- Enterprise EDR originally provisioned with Endpoint Standard
- Watchlists configured under Enterprise EDR
- Notifications configured for Watchlist hits
- Enterprise EDR deprovisioned/removed
Symptoms
- Alerts and Notifications for Watchlist hits continue after Enterprise EDR is disabled
- Only Process Analysis link/button included
- Unable to get to Process Analysis page with Enterprise EDR disabled
- Unable to remove/disable Watchlists with Enterprise EDR disabled
Cause
Watchlists not disabled or deleted when Enterprise EDR is removed from Console
Resolution
- November 11 release (0.60.x backend) under LC-413 resolves this issue for orgs where Enterprise EDR is deprovisioned since that date
- If an organization had Enterprise EDR disabled prior to the date above, please use the Delete All Watchlists API to remove any remaining Watchlists directly
Additional Notes
If this issue is observed on orgs where Enterprise EDR has been disabled since the November 11, 2020 release, please
open a case with Carbon Black Technical Support and provide
- Organization name, Org ID, Org Key
- Example CB ThreatHunter AlertID and screenshot(s) showing Alerts page with Alert details expanded
- Count of Alerts in last two weeks referencing 'watchlist' when searching on Alerts page
If an organization had Enterprise EDR disabled prior to November 11, 2020, they can make use of the
Delete All Watchlists API to remove all Watchlists and stop receiving Alerts and Notifications tied to them
Related Content