EDR: Multiple events created for the same false positive alert

search cancel

EDR: Multiple events created for the same false positive alert

book

Article ID: 286283

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response) Carbon Black Hosted EDR (formerly Cb Response Cloud)

Issue/Introduction

When resolving or updating a false positive alert, multiple watchlist hits are triggered related to the alert

Environment

EDR server: All versions

Cause

This is expected behaviour

Resolution

The product will send a watchlist.hit.ingress.process alert for each of the following in regards to the process of resolving a false positive:

New Alert
False Positive
Assign
Resolved

This occurs when a user makes a change to an alert within the console (triage alerts page).

Additional Information

More information will be given for auditing, such as when selecting false positive or resolved, the status field will be updated and two fields will be filled out to identify which user resolved the alert and when the user resolved the alert:

assigned_to
resolved_time

Feedback

thumb_up Yes

thumb_down No