CB Response: Emails on hit, even when it is disabled
Article ID: 287755
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- User will receive emails after disabling the option via Feed/Watchlist
Environment
- CB Response Server: 6.X and higher
Cause
- Admins who select the option to be emailed on hit, but choose a distribution list as their email, will cause all parties included in that DL to receive the alert via email. Even if one user disables the option to be notified through the Feed/Watchlist.
Resolution
- Any email distribution list used to alert will have to be adjusted to either remove the user's email, or use a different email altogether per user of that DL.
Additional Information
- Example:
- User A creates a new Watchlist/Feed and chooses to be notified via email and chooses their SOC DL as the recipient of the alerts.
- User B is part of the SOC DL, but does not wish to be notified, and so chooses to disable the email on hit option for that Watchlist/Feed.
- User B will still be notified until User A either chooses a new email to directly alert themselves, or remove User B from the DL.
Feedback
Yes
No
Powered by
