CB Response: Receiving Icon Matching feed alerts daily for old hit
Article ID: 292383
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- One or more alerts are generated daily from the Icon Matching feed for old events
Environment
- CB Response Server: All Versions
- Icon Matching Feed enabled
Cause
An issue is causing the Icon Matching feed to update daily. A fix is being tracked with the ID TPLAT-1356
Resolution
- As a workaround create watchlists based off the Iconmatching Feed
- Disable alerts and emails for the Icon Matching feed
- If selected, uncheck Email me on hit
- Select the Notifications drop-down and uncheck Create Alert
- Create a watchlist for binary searches
- Disable alerts and emails for the Icon Matching feed
cb.urlver=1&cb.q.alliance_score_iconmatching=*&rows=10&start=0&sort=server_added_timestamp%20desc
- Create a watchlist for process searches
cb.urlver=1&rows=10&facet=false&facet.field=username_full&facet.field=process_name&facet.field=group&facet.field=hostname&facet.field=parent_name&facet.field=path_full&facet.field=process_md5&sort=last_update%20desc&cb.min_last_update=&cb.max_last_update=&cb.query_source=ui&cb.strict=0&q=(alliance_score_iconmatching%3A*)&start=0
Additional Information
- The Icon Matching feed will still need to be enabled for the watchlists to work
- Alerts should be configured on the watchlists to continue receiving other alerts from the feed
- Email me on hit will need to be disabled by each individual subscribed to the feed
Feedback
Yes
No
Powered by
