EDR: How To Remove Duplicate Threat Intel Feed Entries From the Console
search cancel

EDR: How To Remove Duplicate Threat Intel Feed Entries From the Console

book

Article ID: 287182

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

How to remove duplicate Threat Intel Feed entries from the Threat Intel Feeds page in the console.

Environment

  • EDR Server: All Versions

Resolution

  1. Stop the CB services: 
service cb-enterprise stop
  1. Start only the Postgres service: 
service cb-pgsql start
  1.  Backup the alliance_feeds table: 
pg_dump -C -Fp -t alliance_feeds -f /var/log/cb/case<CASE#>_feeds.sql cb -p 5002
  1. Delete the duplicate feed entries by ID. Be sure the <IDOFDUPE> value is the duplicate feed, if the wrong feed is deleted, the backup must be restored: 
psql -d cb -p 5002 -c "delete from alliance_feeds where id = '<IDOFDUPE>';"
  1. Start the other CB services: How to restart server services

Additional Information

  • Multiple duplicates can be deleted at once by modifying the deletion command to include multiple entries.
  • The ID of a duplicate entry can be found in the alliance_feeds table under the ID column
Powered by Wolken Software