Environment
- Cb Response: All versions
- Cb Response Console
Symptoms
Alert email received while the alert within the Cb Response console is not found under Detect > Triage Alert.
Cause
- "Create Alert" On Hit is not ticked when expanding "Notifications" under a specific feed.
- "Create Alert" On Hit is not ticked under the Watchlists page.
- A Cb Response server issue unrelated to the two "On Hit" causes mentioned above.
Resolution
- Confirm according to the two causes listed above, depending if it is a watchlist or feed issue, that "Create Alert" is checked under On Hit in either scenario.
Upload Cb Diags (i.e., Server Logs) for review.
Provide a copy of the email alert received. This will help Support determine if the issue is feed- or watchlist-related.
- a. If feed-related please provide the results of the query below via terminal on the Cb Response server:
psql -d cb -p 5002 -c "select id,name,enabled,feed_url,update_timestamp from alliance_feeds where enabled='t' and delete_timestamp is null;"
4. Output results of the process doc as text: How to output a process document as text file for troubleshooting
5. If pertaining to the Cb Reputation Trust Feed, the Cb Reputation Threat Feed, or the deprecated VirusTotal Feed please provide a copy of the binary document from the Cb Response server:
curl http://localhost:8080/solr/cbmodules/select?q=md5%3A{MD5HashHere}&wt=json&indent=true" > /tmp/binarydoc.out && /usr/share/cb/cbpost /tmp/binarydoc.out
7. Attach the screenshot of the email alert to the case along with the process doc and the binary doc.
Additional Notes
- The MD5 hash for the binary CURL command can be found on the email alert.
Related Content
Collecting logs for Troubleshooting [Server - Cb Response]
How to output a process document as text file for troubleshooting
