Environment
- Carbon Black Cloud Console: All Versions
Objective
This document describes how to search for Policy Actions (blocks/terminations) in the Console
Resolution
Search for blocks/terminations on all systems
- Log in to Dashboard
- Go to Investigate page
- Choose time period
- Search for POLICY_TERMINATE or POLICY_DENY to find all events of blocks/terminations during the specified time period across all devices in the org
ttp:POLICY_DENY OR ttp:POLICY_TERMINATE
Search for blocks/terminations on a selected device
- Go to the Endpoints page
- Search for the Device Name
- Click on the Device Name to be taken to the Investigate page
- Choose time period
- Search for POLICY_TERMINATE or POLICY_DENY to find events of blocks/terminations on this device during the specified time period
device_id:DEVICEID AND (ttp:POLICY_DENY OR ttp:POLICY_TERMINATE)
Additional Notes
- Use OR to find both POLICY_TERMINATE and POLICY_DENY TTPs in one search query
- Some events might say: "The operation was blocked by the operating system". That means the blocking action was NOT taken by sensor policy actions, but by the Operating System itself.