CB Response: Alerts Generated Despite Being Ignored or MD5 Not Being Seen in Environment
book
Article ID: 287382
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- Alerts are still being generated despite IOC being Ignored.
- Alerts are still being fired despite having not seen the binary in recent history.
Environment
- CB Response Server: Version 6.2.4 and Later
Cause
- When feed reports or whole feeds are deleted, the previously tagged documents may need to be "cleaned".
- This can generate false positives for watchlists and threat reports that join the cbmodule core.
Resolution
- Use the feed_scrub utility for MD5s on a specific feed:
/usr/share/cb/virtualenv/bin/python -m cb.maintenance.job_runner --master -vv feed_search --tag --feed <feed name> --iocs md5 --scrub
Feedback
thumb_up
Yes
thumb_down
No