Carbon Black Cloud: Data Forwarder alert_id Filtering Sending Additional Event Data
search cancel

Carbon Black Cloud: Data Forwarder alert_id Filtering Sending Additional Event Data

book

Article ID: 289376

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

When using alert_id:* in a Custom Query filter, events not associated with an alert are being forwarded

Environment

  • Carbon Black Cloud: All Supported Versions
  • Event Forwarder 

Cause

Backend filter was allowing some event data not associated by an alert_id be forwarded even if it was supposed to be filtered

Resolution

  • Backend fix is being released to prevent events being forwarded where they don’t match the alert_id:* filter
  • A reduction of events being forwarded may be seen as the Data Forwarder enforces this filter
  • Event Forwarder filters may need to be adjusted if event data not associated to an alert_id is needed