EDR: Alerts still being seen for disabled Yara rule
search cancel

EDR: Alerts still being seen for disabled Yara rule

book

Article ID: 284969

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Alerts for a Yara rule that has been disabled is still being seen.

Environment

  • EDR (formerly CB Response) Server: 6.2.0 and higher

Cause

  • Binaries still tagged by the rule will result in alerts on detection.
  • Threat Reports associated with this Rule are still active.

Resolution

  • Confirm any Threat Reports associated with the rule have been disabled.
  • The following steps can be ran to attempt to remove any tagged binaries:
  1. Use the cbfeed scrubber to remove existing tags for the feed: 
/usr/share/cb/cbfeed_scrubber --untag yara
  1. Run the following to retag the binaries:
/usr/share/cb/virtualenv/bin/python -m cb.maintenance.job_runner --master -vvv feed_search --tag --feed <feedname> --iocs md5

 

Additional Information

  • Disabling the Yara rule only removes the IOC, but any binaries tagged previously will still be alerted on.
  • CBfeed_scrubber will remove all tags, including those that are still valid. If option --untag is not supplied, it performs a dry run, so it is a good idea to try it first to see how many binary and process docs are impacted