CB Response: IOCs that have been marked inactive from Anomali Threatstream Feed are still being alerted on
search cancel

CB Response: IOCs that have been marked inactive from Anomali Threatstream Feed are still being alerted on

book

Article ID: 287766

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

CB Response alerts on IOCs that have been marked as "clean" from the Feed provider.

Environment

  • CB Resonse Server: 6.X
  • Anomali ThreatStream Integrator: 6.5.X

Cause

Caused by a limitation within Response, identified as CB-26328.

Resolution

This will be resolved in a future release.

Additional Information

  • Work with the custom feed provider to confirm all IOC data is being sent correctly to Response.
  • Support is not able to assist with configuration or applying best practices to custom feed providers.
  • Expected behavior is once marked inactive from Anomali, the Threatstream Feed is updated, which should remove that IOC from being alerted on after the next Full Sync.
  • This has only been seen with very large threat feeds, with around one million reports.
Powered by Wolken Software