How to limit Alerts from appearing in the Alerts Dashboard
Version This solution applies to Carbon Black v5.0 and later.
From the Detect -> Dashboard, redundant Alerts are created from the same Threat Feed for potentially the same IOC.
Symptoms The "Redundant" Alerts would appear in the Detect -> Dashboard page as well as the Detect -> Triage Alerts page.
Cause An Alert is created for 100% of Feed hits, which is by design.
It is possible to limit the Alerts that appear on these pages, or squelch the Alerts from being generated, by specifying a minimum Alert score. For example you have a Feed that is generating a large number of Alerts. However you only consider a few of these Alerts meaningful, and want to have visibility on only the Alerts that are above a certain Severity. To filter out the Alerts that fall below a certain Severity rating, perform the following:
1. Identify the Feed that you want to limit Alerts for. For example we will use the "NVD" Feed.
2. Edit the file /etc/cb/cb.conf, and include the value:
Note: The letter casing is important, where the first letter of the feed name is capitalized. For example "MyCustomFeed" would be "AlertMinScoreMycustomfeed".
The above change would indicate an Alert will only be created if the Feed Severity rating is 70 or greater.
3. Restart the CB services:
service cb-enterprise restart
4. Ensure Alerts that have a Severity rating less than 70 are no longer being generated.
Important Note(s) Also note that there is an existing Feature Request to squelch Alerts from being generated based on specific IOCs. There is no target version or ETA for this feature.