CB Response: Alerts are Received Later than the Timestamp
Article ID: 286858
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
Alerts appear to be sent late for an event.
Environment
- Carbon Black Response Console: All Versions
Cause
A new watchlist query with over 100 matches causes other watchlists to tag the same process again
Resolution
- This is currently working as designed. CB-29895 is an enhancement request to improve on the design
- To avoid this, before creating a watchlist utilize the process search page to get the total hits. If there is over 100 matches, there is a possibility this will tag processes already tagged by another watchlist earlier and cause the same. Tune the watchlist to minimize the amount of matches if possible.
Additional Information
- Watchlists run every 10 minutes by default. A new watchlist will start at the beginning of time, searching all older events stored in Solr.
- The watchlist search job will only search the first 100 hits before moving on to the next watchlist
- When a watchlist tags an event, a new segment is created within the Solr doc copying the information over with a reference id to the original event.
Feedback
Yes
No
Powered by
