EDR: How to bulk delete triage alerts
search cancel

EDR: How to bulk delete triage alerts

book

Article ID: 285229

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Bulk delete alerts from the triage page

Environment

  • EDR (formerly CB Response) Server: 6.1 and above (on-prem only)

Resolution

$#%Deleting alerts will permanently remove them from the system. Consider bulk resolving alerts through the UI or API if alert retention is desired$#%
  • Alerts can be removed via curl commands to Solr using the <delete> tags

    • curl http://127.0.0.1:8080/solr/cbalerts/update?commit=true -H "Content-Type: text/xml" -d "<delete><query>field:value</query></delete>"

Additional Information

Example queries. Items in bold should be changed with desired field value
  • Delete alerts from a specific feed

    • curl http://127.0.0.1:8080/solr/cbalerts/update?commit=true -H "Content-Type: text/xml" -d "<delete><query>feed_name:feedname</query></delete>"

  • Delete alerts from a specific watchlist

    • curl http://127.0.0.1:8080/solr/cbalerts/update?commit=true -H "Content-Type: text/xml" -d "<delete><query>watchlist_name:watchlist</query></delete>"

  • Delete alerts with a specific status

    • curl http://127.0.0.1:8080/solr/cbalerts/update?commit=true -H "Content-Type: text/xml" -d "<delete><query>status:state</query></delete>"

Powered by Wolken Software