• EDR Server: All Versions

The alert can be handled a few different ways:

1. 1. Triage Alert: It may be useful to know that threat intelligence information for a file that was previously seen in the environment has now been updated. Depending on the file, or how long ago the file was last seen in the environment, follow up to see what impact the file had on the environment may be beneficial. 
   2. Reduce Frequency: If this is caused by false positive score change, alerts below a certain score can be ignored for a feed by adding a configuration change in /etc/cb/cb.conf.
   3. Ignore Future Events: After setting an Alert to False Positive, and option to ignore future events will be available in the pop-up. Select Yes will mean notifications will never be received for the hash again. This should only be used if the binary is trusted in the organization.
   4. Remove the binary and receive Alerts next time the binary appears in the environment: The binary document can be removed from the database. This will stop alerts until the next time the binary appears in an environment by a sensor that has not seen the binary before. Process can be found here.
   5. Enable cbmodules purge cronjob: Removing old binaries can be done via a built in cronjob that is not enabled by default. This will remove any binary that does not have a event associated with if for the X amount of days after you set. This also helps with search performance as most binaries are not seen again. Any sensor that has not seen the binary before can resend binary metadata and alert again.
      • Process can be found here.
      • If retention is 30 days and cbmodule_purge is set to 60 days, the administrator will have 90 days retention on the binary metadata, counter resets if new event is seen.