EDR: How to Query Postgres for Watchlist and Feed Action Options (Alert, Syslog, Email)
Article ID: 285714
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
How to list out the watchlists and feeds that have Alert, Syslog and/or Email enabled.
Environment
- EDR Server: All Versions
Resolution
Feed:
Watchlist:
Note: Remove -x if you would like the entries displayed in rows, this can sometimes be difficult to read due to word wrap. -x splits each entry by key:value\n for easier reading.
psql -p 5002 cb -x -c "select CASE a.action_type when 0 then 'Email' when 1 then 'Syslog' when 3 then 'Alert' end as subscriber_type,f.display_name FROM alliance_feeds as f JOIN watchlist_action as a on (f.id = a.alliance_feed_id);"
Watchlist:
psql -p 5002 cb -x -c "select CASE a.action_type when 0 then 'Email' when 1 then 'Syslog' when 3 then 'Alert' end as subscriber_type, w.*,u.username from watchlist_entries as w JOIN watchlist_action as a on (w.id = a.watchlist_id) LEFT JOIN watchlist_action_subscriber as s on (s.watchlist_action_id = a.id) LEFT JOIN cb_user as u on (s.user_id = u.id) order by w.id asc;"
Note: Remove -x if you would like the entries displayed in rows, this can sometimes be difficult to read due to word wrap. -x splits each entry by key:value\n for easier reading.
Additional Information
- Email is user specific, each user that wants an email must have email enabled via the threat intelligence page (feeds) or the watchlist page per individual watchlist
- Alerts are global, when a global admin enables alerting it is enabled for all users
- Syslog is also global. Enabling syslog is only for those using rsyslog via cb-coreservices.conf (on-prem only), if you are using the Cb-Event-Forwarder, this is not needed,
Feedback
Yes
No
Powered by
