EDR: How to tag/untag feed binaries and events
search cancel

EDR: How to tag/untag feed binaries and events

book

Article ID: 289624

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • Untag events and binaries associated with a feed
  • Tag events and binaries associated with a feed

Environment

  • EDR Server: All Versions

Resolution

  1. Use the cbfeed scrubber to remove exiting tags for the feed:  
    • /usr/share/cb/cbfeed_scrubber --untag <feedname>
  2. Run the following to retag the binaries:
    • 6.2.1 and below 
      • /usr/bin/python -m cb.maintenance.job_runner --master -vvv feed_search --tag --feed <feedname> --iocs md5​​​
    • 6.2.2 and above 
      • /usr/share/cb/virtualenv/bin/python -m cb.maintenance.job_runner --master -vvv feed_search --tag --feed <feedname> --iocs md5

Additional Information

These steps are usually used in situations where a feed is incorrectly sending alerts for disabled feeds / tagged events. 
Powered by Wolken Software