Carbon Black Cloud: Duplicate Alert Entry in SIEM for Each Event Added (Alert Data Forwarder)
search cancel

Carbon Black Cloud: Duplicate Alert Entry in SIEM for Each Event Added (Alert Data Forwarder)

book

Article ID: 290362

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

  • New records with the same id (alert_id) appearing in SIEM
  • Only visible¬†difference between entries is last_update_time
  • Updated last_update_time data lines up with timestamps of event_ids tied to same alert_id

Environment

  • Carbon Black Cloud Console: All Versions
    • Data Forwarder configured for Alerts
  • Real-time SIEM ingesting Alert data

Cause

Working as designed. Alert records are updated as new Events are tied to the same alert_id.

Resolution

Deduplicate entries from the alerts Data Forwarder based on the id field (alert_id in VMware Carbon Black Cloud Console)

Additional Information

  • The above should only be problematic on real-time analytics SIEMs (Exabeam, LogRhythm, etc.)
  • This should not be an issue with search-based SIEMs (Splunk, etc.)