Carbon Black Cloud: Data Forwarder alert_id Filtering Sending Additional Event Data
book
Article ID: 289376
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
When using alert_id:* in a Custom Query filter, events not associated with an alert are being forwarded
Environment
- Carbon Black Cloud: All Supported Versions
- Event Forwarder
Cause
Backend filter was allowing some event data not associated by an alert_id be forwarded even if it was supposed to be filtered
Resolution
- Backend fix is being released to prevent events being forwarded where they don’t match the alert_id:* filter
- A reduction of events being forwarded may be seen as the Data Forwarder enforces this filter
- Event Forwarder filters may need to be adjusted if event data not associated to an alert_id is needed
Feedback
thumb_up
Yes
thumb_down
No