Environment
- Carbon Black Cloud Console: August 2020 Release and Higher
- Endpoint Standard (was CB Defense)
- Unified Platform Experience
Symptoms
- Org started with Endpoint Standard (was CB Defense) and Enterprise EDR (was CB ThreatHunter)
- May also have or have had Audit & Remediation (was CB LiveOps) and/or Managed Detection (was CB ThreatSight)
- May have started under an Incident Response (IR) engagement with an IR Partner or Managed Security Service Provider (MSSP)
- Org disabled Enterprise EDR since 01-Jul-2020
- New Endpoint Standard Alerts continue showing on Alerts page
- New Enriched Event data stopped appearing on Investigate page when Enterprise EDR was disabled
- New Process data continues to appear on Investigate page
Cause
Backend issue where Investigate page is pulling data from incorrect database
Resolution
Open a case with Carbon Black Technical Support and provide
- Subject: No new Investigate data since <Date>
- Environment (column from this table)
- Org ID
- Org Key
- Date and time of most recent Event on Investigate page OR Date Enterprise EDR was disabled (either)
Example
Subject: No new Investigate data since July 1, 2020
Environment: Prod05
Org ID: 123456
Org Key: ABCD1234
New Alerts are showing on the Alerts page, but no new Events can be seen on the Investigate page since 01-Jul-2020.
Additional Notes
- Data is not lost
- Support can help with getting access to the last 30 days of Event data
- Support will then work with Engineering to backfill data up to 5 months prior
Related Content