EDR: How to bulk delete triage alerts by report ID

search cancel

EDR: How to bulk delete triage alerts by report ID

book

Article ID: 288610

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

How to bulk delete triage alerts by report id.

Environment

EDR Server: all versions

Resolution

Use below query for deleting triage alert in bulk using report id

curl http://127.0.0.1:8080/solr/cbalerts/update?commit=true -H "Content-Type: text/xml" -d '<delete><query>watchlist_id:ReportIDHere</query></delete>'

For example if report id is 565571 then query will be as below.

curl http://127.0.0.1:8080/solr/cbalerts/update?commit=true -H "Content-Type: text/xml" -d '<delete><query>watchlist_id:565571</query></delete>'

Additional Information

More fields are available for deleting triage alerts in this query here: https://developer.carbonblack.com/reference/enterprise-response/6.3/rest-api/#alerts

Feedback

thumb_up Yes

thumb_down No