EDR: ATT&CK Threat Feed Generates Excessive False Positive Alerts

search cancel

EDR: ATT&CK Threat Feed Generates Excessive False Positive Alerts

book

Article ID: 289068

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

After enabling the ATT&CK Threat Feed, there are an excessive amount of alerts being generated
Most of these alerts from the ATT&CK Feed are false positives

Environment

EDR Server: All Versions
ATT&CK Threat Feed: Enabled

Cause

This is a feed made for threat hunting, not alerting/notifications out-of-the-box. It will trigger on a large number of IOCs and generate a lot of alerts if not properly tuned.

Resolution

The ATT&CK Threat Feed GA Release Notes on the CB Developer site contains following warning:

WARNING: Enable the feed, but do not alert on it. This is a feed made for threat hunting, not alerting/notifications out-of-the-box. We STRONGLY recommend enabling the feed, but not enabling alerts or email notifications. You can take queries from here and create watchlists after you tune queries to your environment and then enable alerts.

Feedback

thumb_up Yes

thumb_down No