Alerts, Live Query Results, and Investigate Page Only Showing 10,000 results

search cancel

Alerts, Live Query Results, and Investigate Page Only Showing 10,000 results

book

Article ID: 285484

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

The investigate page is only showing 10,000 results. IE:

Alerts
- Showing 10,000 of 36,495 alerts
Investigate > Observations:
- Showing max 10,000 of 56,421 results
Investigate > Processes:
- Showing max 10,000 results (23% of available data processed)
Live Query Results:
- Showing 10,000 of 36,495 results

Environment

Carbon Black Cloud Console

Resolution

This is expected behavior. The console UI utilizes the Alerts API, Observations API,and Processes Search API which have a limit of 10,000 per query result. We recommend making use of filters and /or search to narrow the results below 10,000. If the full results are required the options would be to:

Use our API and Pagination (Our SDK can help with this)
OR
Send the events to a SIEM. (Our Data Forwarder can help with this)

Feedback

thumb_up Yes

thumb_down No