EDR: Why are CbFeeds Better than Watchlists for a List of Hashes, IPs, or Domains?
search cancel

EDR: Why are CbFeeds Better than Watchlists for a List of Hashes, IPs, or Domains?

book

Article ID: 287962

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Why are cbfeeds better than creating a watchlist for a list of hashes, ips or domains?

Environment

  • EDR Server: All Versions

Resolution

  • IOC based feeds (outside of query) run at ingress and have a better chance of alerting you faster than a watchlists running every 10 minutes
  • Copying and pasting a list of IOCs has a high probability of capturing line feeds (%A0) after each entry, this can cause Solr to search across each file type for every entry, especially when md5: for example is not in front of each
  • Overall management, it's much easier to add, update and delete a feed with a large list of IOC's than a watchlist
  • A score can be added to each individual report, making alerts easier to take action on by severity
Powered by Wolken Software