Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Endpoint Standard: No new Enriched Events on Investigate after disabling Enterprise EDR

Endpoint Standard: No new Enriched Events on Investigate after disabling Enterprise EDR

Environment

  • Carbon Black Cloud Console: August 2020 Release and Higher
    • Endpoint Standard (was CB Defense)
  • Unified Platform Experience

Symptoms

  • Org started with Endpoint Standard (was CB Defense) and Enterprise EDR (was CB ThreatHunter)
    • May also have or have had Audit & Remediation (was CB LiveOps) and/or Managed Detection (was CB ThreatSight)
    • May have started under an Incident Response (IR) engagement with an IR Partner or Managed Security Service Provider (MSSP)
  • Org disabled Enterprise EDR since 01-Jul-2020
  • New Endpoint Standard Alerts continue showing on Alerts page
  • New Enriched Event data stopped appearing on Investigate page when Enterprise EDR was disabled
  • New Process data continues to appear on Investigate page

Cause

Backend issue where Investigate page is pulling data from incorrect database

Resolution

Open a case with Carbon Black Technical Support and provide
  • Subject: No new Investigate data since <Date>
  • Environment (column from this table)
  • Org ID
  • Org Key
  • Date and time of most recent Event on Investigate page OR Date Enterprise EDR was disabled (either)
    Example
    
    Subject: No new Investigate data since July 1, 2020
    
    Environment: Prod05
    Org ID: 123456
    Org Key: ABCD1234
    
    New Alerts are showing on the Alerts page, but no new Events can be seen on the Investigate page since 01-Jul-2020.

Additional Notes

  • Data is not lost
  • Support can help with getting access to the last 30 days of Event data
  • Support will then work with Engineering to backfill data up to 5 months prior

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎09-24-2020
Views:
523
Contributors