CB Response: Alliance feed name missing from events sent over Syslog
Article ID: 287792
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- Missing Feed name on incoming alerts.
Environment
- CB Response Server: 6.X
Cause
This is due to a limitation of Syslog
Resolution
As a workaround, adjust the correct /usr/share/cb/syslog_templates/ to include Threat Report IDs:
whatisthereportid={{doc['report_id']|cef_escape}}
Additional Information
- Syslog has been replaced by CB Event Forwarder.
- The CB Response Feeds do not apply a tag ID for the Alliance Feed name the alerts come from.
Feedback
Yes
No
Powered by
