Environment
- Carbon Black Cloud: All Supported Versions
- Event Forwarder
Symptoms
When using alert_id:* in a Custom Query filter, events not associated with an alert are being forwarded
Cause
Backend filter was allowing some event data not associated by an alert_id be forwarded even if it was supposed to be filtered
Resolution
- Backend fix is being released to prevent events being forwarded where they don’t match the alert_id:* filter
- A reduction of events being forwarded may be seen as the Data Forwarder enforces this filter
- Event Forwarder filters may need to be adjusted if event data not associated to an alert_id is needed
Related Content