Carbon Black Cloud: Duplicate Alert Entry in SIEM for Each Event Added (Alert Data Forwarder)
book
Article ID: 290362
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
- New records with the same id (alert_id) appearing in SIEM
- Only visible difference between entries is last_update_time
- Updated last_update_time data lines up with timestamps of event_ids tied to same alert_id
Environment
- Carbon Black Cloud Console: All Versions
- Data Forwarder configured for Alerts
- Real-time SIEM ingesting Alert data
Cause
Working as designed. Alert records are updated as new Events are tied to the same alert_id.
Resolution
Deduplicate entries from the alerts Data Forwarder based on the id field (alert_id in VMware Carbon Black Cloud Console)
Additional Information
- The above should only be problematic on real-time analytics SIEMs (Exabeam, LogRhythm, etc.)
- This should not be an issue with search-based SIEMs (Splunk, etc.)
Feedback
thumb_up
Yes
thumb_down
No