CB Response: SIEM receiving duplicate events
Article ID: 290148
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- Dozens of duplicate events are being sent to the SIEM
- Most if not all duplicates are netconns
Environment
- CB Response Server: All Versions
- CB Response Sensor: All Versions
Cause
Something outside of Response is stripping the full date/timestamp before the event makes it to the SIEM
Resolution
Anything processing the event between Response and the SIEM must leave the data/timestamp alone
Additional Information
This issue can be most prevalant with Netconns which can generate a large number of events with the same content in less than a second
Feedback
Yes
No
Powered by
