Carbon Black Cloud: SIEM/API Notifications Do Not Include EEDR Alert/Investigate URL

Carbon Black Cloud: SIEM/API Notifications Do Not Include EEDR Alert/Investigate URL

search cancel

Carbon Black Cloud: SIEM/API Notifications Do Not Include EEDR Alert/Investigate URL

book

Article ID: 292044

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Alert URL is not included in the data sent to SIEM/API

Environment

Carbon Black Cloud Console: All Supported Version
VMware Carbon Black Cloud App for Splunk: 1.x
Splunk: 8.x

Cause

The Data forwarder which is required to populate the Alert URL was not configured

Resolution

The below workaround can be followed:

Copy the DEVICE_ID and ALERT_ID from the notification
Navigate to the Investigate page
Format a search query including the following search fields

device_id:{DEVICE_ID} AND alert_id:{ALERT_ID}

Feedback

thumb_up Yes

thumb_down No