EDR: How to find the last time a binary's associated Alliance Feed was updated

search cancel

EDR: How to find the last time a binary's associated Alliance Feed was updated

book

Article ID: 290381

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Find the last time an Alliance feed associated with a binary was updated.

Environment

EDR Server: All Versions

Resolution

Collect the binary doc from the master server via the following curl command replacing BINARYMD5 with the corresponding binary MD5 value
- ```
curl 'http://127.0.0.1:8080/solr/cbmodules/select?q=md5:BINARYMD5&rows=5&indent=true'
```
Find the alliance_updated date field for the related feed. This will contain the last update time
- ```
<date name="alliance_updated_srsthreat">2018-04-04T02:44:58Z</date>
```

Additional Information

This is useful in situations where a binary alert has triggered for an old event. This can be correlated with the last update time with the feed hit in /var/log/cb/job-runner/job-runner.log.

Feedback

thumb_up Yes

thumb_down No