CB Response: Alert "Cb Threat Intel enabled but not connected. Error code: 403"
search cancel

CB Response: Alert "Cb Threat Intel enabled but not connected. Error code: 403"

book

Article ID: 285790

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

On console, getting error "Cb Threat Intel enabled but not connected. Error code: 403".

/var/log/cb/allianceclient/allianceclient.log:
 
2020-02-05 10:22:41 [16796] <err> cb.alliance.comms - POST of 1000 vt_write events to api/v2/reputation/module/writers returned 403
2020-02-05 10:22:41 [16796] <err> cb.alliance.comms - Returned text: {"Message":"User: anonymous is not authorized to perform: es:ESHttpPost"}

Environment

CB Response Server: 6.4.1 and previous versions

Cause

This function is not longer used in the product. The error comes from Alliance getting many hits for this call and stopping it. CB-27468 

Resolution

  • Please upgrade to 6.5.2 or above to correct the issue.
  • While the Error in the console still exists, run the following to confirm no other feeds but api/v2/reputation/module/writers are affected
    redis-cli -n 1 hgetall AllianceCommStatus | sed -s 'N;/200,/!P;D'

Additional Information

  • api/v2/reputation/module/writers was part of the depreciated support with the VirusTotal feed. This was replaced with CB Reputation feeds
  • This does not affect any other feeds from updating