Environment
- Cb Defense Web Console: All Versions
Symptoms
- Alerts dismissed previously
- New Alerts showing up with the same Tactics, Techniques, and Procedures (TTPs)
- New Alerts show previously-dismissed AlertIDs under Notes and Tags
Cause
Previous Alerts were dismissed with Group Alerts turned off
Resolution
- From the All Alerts page right-click the Investigate button of the new Alert and open the page in a new tab
- Within the URL on the Investigate page, find the threatId tag and copy it
selected[threatId]={CopyThisTheatID}& |
- Back on the All Alerts page, search for the ThreatID above (make sure to show Dismissed and Not Dismissed under Workflow on the left)
- Turn Group Alerts on
- Dismiss the Alert on all devices and check "If this alert occurs in the future, automatically dismiss it from all devices"
- Click Dismiss
- All Alerts associated with the specified ThreatID will now be dismissed with persistence
Additional Notes
- Group Alerts must be turned on to dismiss Alerts across multiple devices and with persistence
- Dismissal is for the specific AlertID (machine specific) and cannot be dismissed for multiple devices when Group Alerts is turned off
- "If this alert occurs in the future, automatically dismiss it from all devices" has no impact when Group Alerts is turned off
Related Content
Cb Defense: How to Dismiss Alerts
Cb Defense: Alert ID vs. Threat ID
Cb Defense: What Does Dismissing a Group of Alerts do?
