EDR: How to Customize a Feed to Prevent False Positives
search cancel

EDR: How to Customize a Feed to Prevent False Positives

book

Article ID: 291826

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Customize a Response Feed to address False Positives or to limit data collection

Environment

  • EDR Console: All Versions

Resolution

To Customize a Query:

  1. Navigate to the Threat Intelligence Page.
  2. Click on the threat reports for the feed to be tuned.
  3. Toggle the “Ignore” button from “No” to “Yes” on the report producing the false positive.
  4. Click on details to go into a specific details page.
  5. Click on the blue hyperlinked “indicator” at the page bottom of page. This opens up a process search page with the query that the threat feed is running.
  6. Add or remove search terms to the query to find a configuration that eliminates the noise in the environment but will still catch malicious/unusual behavior.
  7. Click the Wrench Icon and “Add Watchlist”.
  8. Set the alert and save changes.
To Ignore a Query:
  1. Navigate to the Threat Intelligence Page.
  2. Click on the threat reports for the feed to be tuned.
  3. Toggle the “Ignore” button from “No” to “Yes”. The report will no longer run and will not tag data on the server.
Powered by Wolken Software