Showing results for 
Show  only  | Search instead for 
Did you mean: 
Access VMworld content on-demand if you missed the event. 70+ security focused sessions were offered -- access requires registration.

Endpoint Standard: No new Enriched Events on Investigate after disabling Enterprise EDR

Endpoint Standard: No new Enriched Events on Investigate after disabling Enterprise EDR


  • Carbon Black Cloud Console: August 2020 Release and Higher
    • Endpoint Standard (was CB Defense)
  • Unified Platform Experience


  • Org started with Endpoint Standard (was CB Defense) and Enterprise EDR (was CB ThreatHunter)
    • May also have or have had Audit & Remediation (was CB LiveOps) and/or Managed Detection (was CB ThreatSight)
    • May have started under an Incident Response (IR) engagement with an IR Partner or Managed Security Service Provider (MSSP)
  • Org disabled Enterprise EDR since 01-Jul-2020
  • New Endpoint Standard Alerts continue showing on Alerts page
  • New Enriched Event data stopped appearing on Investigate page when Enterprise EDR was disabled
  • New Process data continues to appear on Investigate page


Backend issue where Investigate page is pulling data from incorrect database


Open a case with Carbon Black Technical Support and provide
  • Subject: No new Investigate data since <Date>
  • Environment (column from this table)
  • Org ID
  • Org Key
  • Date and time of most recent Event on Investigate page OR Date Enterprise EDR was disabled (either)
    Subject: No new Investigate data since July 1, 2020
    Environment: Prod05
    Org ID: 123456
    Org Key: ABCD1234
    New Alerts are showing on the Alerts page, but no new Events can be seen on the Investigate page since 01-Jul-2020.

Additional Notes

  • Data is not lost
  • Support can help with getting access to the last 30 days of Event data
  • Support will then work with Engineering to backfill data up to 5 months prior

Related Content

Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Creation Date: