Cb Response: Create Regmod Ingress Filter
search cancel

Cb Response: Create Regmod Ingress Filter


Article ID: 288106


Updated On:


Carbon Black EDR (formerly Cb Response)


Create an ingress filter that will result in the Cb Response server not storing any registry modification (regmod) events.


  • Cb Response server (version 6.x and later)


  1. Login to the command line of the Cb Response server
  2. Execute this add ingress filter command with the following parameters:
    1. Replace "XXXXXXXX" with your API Token.
    2. Enter a unique alphanumeric value for "id"
    3. Replace the regmod_filter path with the exact path to the registry directory.
curl -vv --tlsv1.2 -XPOST -H "X-Auth-Token: XXXXXXXX" -H "Content-Type: application/json" "https://localhost/api/v1/ingress_whitelist" -k -d '



    "id": "example",

    "priority": 0,

    "enabled": true,

    "filter_on_server": true,

    "track_metrics": true,

    "os_mask": 7,

    "global": true,

    "group_ids": [],

    "sensor_ids": [],

    "regmod_filters": ["rxi|\\\\registry\\\\machine\\\\software\\\\example directory\\\\example subdirectory\\\\*"],

    "filter_all_events": false,

    "path_filters": ["*"]




Additional Information

  • The regmod_filter path is not case sensitive due to the "rxi" parameter.
  • Note the required asterisk (*) at the end of the regmod_filters parameter.
  • This process must be repeated on all servers in the cluster (master + minions).
  • Useful in deployments where a known process makes frequent safe updates to endpoints.