Environment

• EDR Server: All Versions

Symptoms

Cause

Resolution

• The alert can be handled a few different ways
  1. Triage Alert: It may be useful to know that threat intelligence information for a file that was previously seen in the environment has now been updated. Depending on the file, or how long ago the file was last seen in the environment, follow up to see what impact the file had on the environment may be beneficial. 
  2. Reduce Frequency: If this is caused by false positive score change, alerts below a certain score can be ignored for a feed by adding a configuration change in /etc/cb/cb.conf.
     • How to limit Alerts from appearing in the Alerts Dashboard
  3. Ignore Future Events: After setting an Alert to False Positive, and option to ignore future events will be available in the pop-up. Select Yes will mean notifications will never be received for the hash again. This should only be used if the binary is trusted in the organization.
  4. Remove the binary and receive Alerts next time the binary appears in the environment: The binary document can be removed from the database. This will stop alerts until the next time the binary appears in an environment by a sensor that has not seen the binary before. EDR: How to remove a binary document from Solr (cbmodules)
  5. Enable cbmodules purge cronjob: Removing old binaries can be done via a built in cronjob that is not enabled by default. This will remove any binary that does not have a event associated with if for the X amount of days after you set. This also helps with search performance as most binaries are not seen again. Any sensor that has not seen the binary before can resend binary metadata and alert again.
     • EDR: How to Enable Automated Cbmodule Purging
     • If retention is 30 days and cbmodule_purge is set to 60 days, you will have 90 days retention on the binary metadata, counter resets if new event is seen.

Additional Notes

Related Content