Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

How to limit Alerts from appearing in the Alerts Dashboard

How to limit Alerts from appearing in the Alerts Dashboard

Version
This solution applies to Carbon Black v5.0 and later.


Issue

From the Detect -> Dashboard, redundant Alerts are created from the same Threat Feed for potentially the same IOC.

 

Symptoms
The "Redundant" Alerts would appear in the Detect -> Dashboard page as well as the Detect -> Triage Alerts page.

Cause
An Alert is created for 100% of Feed hits, which is by design.

Solution

It is possible to limit the Alerts that appear on these pages, or squelch the Alerts from being generated, by specifying a minimum Alert score. For example you have a Feed that is generating a large number of Alerts. However you only consider a few of these Alerts meaningful, and want to have visibility on only the Alerts that are above a certain Severity. To filter out the Alerts that fall below a certain Severity rating, perform the following:

 

1. Identify the Feed that you want to limit Alerts for. For example we will use the "NVD" Feed.

2. Edit the file /etc/cb/cb.conf, and include the value:

AlertMinScoreNvd=70

Note: The letter casing is important, where the first letter of the feed name is capitalized. For example "MyCustomFeed" would be "AlertMinScoreMycustomfeed".

The above change would indicate an Alert will only be created if the Feed Severity rating is 70 or greater.

 

3. Restart the CB services:

service cb-enterprise restart

4. Ensure Alerts that have a Severity rating less than 70 are no longer being generated.


Important Note(s)

Also note that there is an existing Feature Request to squelch Alerts from being generated based on specific IOCs. There is no target version or ETA for this feature.

Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎05-11-2015
Views:
824
Contributors