logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

EDR: How to Customize a Feed to Prevent False Positives

EDR: How to Customize a Feed to Prevent False Positives

Environment

  • EDR Console: All Versions

Objective

Customize a Response Feed to address False Positives or to limit data collection

Resolution

To Customize a Query:

  1. Navigate to the Threat Intelligence Page.
  2. Click on the threat reports for the feed to be tuned.
  3. Toggle the “Ignore” button from “No” to “Yes” on the report producing the false positive.
  4. Click on details to go into a specific details page.
  5. Click on the blue hyperlinked “indicator” at the page bottom of page. This opens up a process search page with the query that the threat feed is running.
  6. Add or remove search terms to the query to find a configuration that eliminates the noise in the environment but will still catch malicious/unusual behavior.
  7. Click the Wrench Icon and “Add Watchlist”.
  8. Set the alert and save changes.
To Ignore a Query:
  1. Navigate to the Threat Intelligence Page.
  2. Click on the threat reports for the feed to be tuned.
  3. Toggle the “Ignore” button from “No” to “Yes”. The report will no longer run and will not tag data on the server.

Related Content


Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎01-03-2019
Views:
2528
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.