logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

EDR: Why are CbFeeds Better than Watchlists for a List of Hashes, IPs, or Domains?

EDR: Why are CbFeeds Better than Watchlists for a List of Hashes, IPs, or Domains?

Environment

  • EDR Server: All Versions

Question

Why are cbfeeds better than creating a watchlist for a list of hashes, ips or domains?

Answer

  • IOC based feeds (outside of query) run at ingress and have a better chance of alerting you faster than a watchlists running every 10 minutes
  • Copying and pasting a list of IOCs has a high probability of capturing line feeds (%A0) after each entry, this can cause Solr to search across each file type for every entry, especially when md5: for example is not in front of each
  • Overall management, it's much easier to add, update and delete a feed with a large list of IOC's than a watchlist
  • A score can be added to each individual report, making alerts easier to take action on by severity

Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎02-01-2023
Views:
278
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.