CB Response: Alerts Generated Despite Being Ignored or MD5 Not Being Seen in Environment

CB Response: Alerts Generated Despite Being Ignored or MD5 Not Being Seen in Environment

search cancel

CB Response: Alerts Generated Despite Being Ignored or MD5 Not Being Seen in Environment

book

Article ID: 287382

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Alerts are still being generated despite IOC being Ignored.
Alerts are still being fired despite having not seen the binary in recent history.

Environment

CB Response Server: Version 6.2.4 and Later

Cause

When feed reports or whole feeds are deleted, the previously tagged documents may need to be "cleaned".
This can generate false positives for watchlists and threat reports that join the cbmodule core.

Resolution

Use the feed_scrub utility for MD5s on a specific feed:

/usr/share/cb/virtualenv/bin/python -m cb.maintenance.job_runner --master -vv feed_search --tag --feed <feed name> --iocs md5 --scrub

Feedback

thumb_up Yes

thumb_down No