EDR: Enable Threat Report Title in Triage Alerts
search cancel

EDR: Enable Threat Report Title in Triage Alerts

book

Article ID: 286296

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

To enable the report ID's from threat reports to display as the actual titles instead of ID's

Environment

  • EDR Server: 7.x
  • EDR Server: 6.5.3 and Higher

Resolution

To enable this for on-prem EDR customers:
  1. Open /etc/cb/cb.conf
  2. Add:
FeedHitLoadReportTitles​=True
  1. Save and exit the cb.conf file
  2. Restart instance services

To enable this for Hosted EDR customers:
  1. Open a Support case
  2. Support will request the cloud operations team to perform identical steps as above and notify once complete

Additional Information

  • Note​: Please use this feature with caution. Additional memory will be used, proportional to the number of reports on your server.
  • Further details can be found on page 291 in the 7.6 User Guide
  • After you have changed the cb.conf setting and restarted cb-enterprise services, the report names are populated in the following places:
    • In the Triage Alerts page Records facet.
    • Bus events.
    • Syslog notifications.
    • Email notifications. Both report ID and report name are displayed in the email. If the feature is turned off, the report name is displayed as “Unknown”.
Powered by Wolken Software