Hosted EDR: Disabled SRSTrust Feed Continues to Display Tagged Events
search cancel

Hosted EDR: Disabled SRSTrust Feed Continues to Display Tagged Events


Article ID: 287640


Updated On:


Carbon Black EDR (formerly Cb Response)


  • SRSTrust Feed is disabled in the UI.
  • Events tagged based on SRSTrust feed continue to be displayed in the UI.
  • The update_timestamp in the Postgres alliance_feeds table is updated daily.
  • No new tagged events for the SRSTrust feed occur, but the previously tagged events remain displayed until Solr data rolls beyond the data retention.


  • Hosted EDR: Version 7.2.0 


  • By design the update_timestamp in the Postgres alliance_feed table continues to be updated, even when the feed is disabled.  EDR continues to pull the feed icon data after the feed is disabled.
  • By design, if the SRSTrust feed is removed from the alliance_feed table it will be re-added when EDR connects to Alliance.  If the feed was disabled prior to being removed from the table, it remain disabled.
  • The feed data can be scrubbed from Solr, but the previously tagged events continue to be displayed until they roll out of the Solr storage based on data retention settings.  No new events will be tagged based on the feed.


  • After disabling the SRSTrust feed via the UI, run cbfeed_scubber to remove the feed's reports.  Use the options -v for verbose and -u for untag.

/usr/share/cb/cbfeed_scrubber -uv srstrust
  • A temporary workaround to block the display of previously tagged events (after the feed is disabled) is to set the cb.conf configuration raising the feed's minimum hit score.  The default is 1; Setting it to 100 basically says ignore any SRSTrust tagged events.

  • Alternatively, modify the query to include the date the feed was disabled.

alliance_score_srstrust:* AND start:[YYYY-MM-DDT00:00:00 TO *]