Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: How to Find Policy Actions in the Web Console

Carbon Black Cloud: How to Find Policy Actions in the Web Console

Environment

  • Carbon Black Cloud Console: All Versions

Objective

This document describes how to search for Policy Actions (blocks/terminations) in the Console


Resolution

Search for blocks/terminations on all systems

  1. Log in to Dashboard
  2. Go to Investigate page
  3. Choose time period
  4. Search for POLICY_TERMINATE or POLICY_DENY to find all events of blocks/terminations during the specified time period across all devices in the org 
ttp:POLICY_DENY OR ttp:POLICY_TERMINATE 

Search for blocks/terminations on a selected device

  1. Go to the Endpoints page
  2. Search for the Device Name
  3. Click on the Device Name to be taken to the Investigate page
  4. Choose time period
  5. Search for POLICY_TERMINATE or POLICY_DENY to find events of blocks/terminations on this device during the specified time period
device_id:DEVICEID AND (ttp:POLICY_DENY OR ttp:POLICY_TERMINATE)

Additional Notes

  • Use OR to find both POLICY_TERMINATE and POLICY_DENY TTPs in one search query
  • Some events might say: "The operation was blocked by the operating system". That means the blocking action was NOT taken by sensor policy actions, but by the Operating System itself.

Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎02-15-2017
Views:
2277
Contributors