EDR: Triage Alerts Page Does Not Load
search cancel

EDR: Triage Alerts Page Does Not Load

book

Article ID: 287420

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • Triage Alerts page will not load.
    • Error message : /var/log/cb/coreservices/debug.log
2020-05-19 07:56:03 [15831] <err> cb.flask.blueprint_helpers - Unhandled exception from API request: 'title'
Traceback (most recent call last):
File "/usr/share/cb/virtualenv/lib/python2.7/site-packages/flask/app.py", line 1813, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/share/cb/virtualenv/lib/python2.7/site-packages/flask/app.py", line 1799, in dispatch_request
return self.view_functions[rule.endpoint](**req.view_args)
File "/usr/share/cb/virtualenv/lib/python2.7/site-packages/cb/auth/auth.py", line 183, in wrapped_f
...
File "/usr/share/cb/virtualenv/lib/python2.7/site-packages/cb/core/feeds/report.py", line 175, in create_from_solr_doc
KeyError: 'title'

 

Environment

  • EDR: All Supported Versions

Cause

  • Error is caused by a blank or NULL title in one of the feeds, which is more than likely a custom or added feed.

Resolution

  • The report causing this issue needs to be located.  Use of the curl command below can help narrow down the source: 
curl "http://localhost:8080/solr/cbfeeds/select?q=-title%3A%5B*%20TO%20*%5D&wt=json&indent=true&rows=10000&sort=create_time%20desc"
  • Once located, we would want to update the feed(s) we find lacking a title. 
    • As an example : 
      1. Create a file titled 'update_title.json' with the contents below, replacing the applicable fields with those found in the output of the previous command :
[{
"unique_id": "JAR-16-20296",
"id": "JAR-16-20296",
"is_local": "true",
"update_time": 1594653367,
"title": {
"set": "FIX_JAR-16-20296"
}
}]
  • An update to the 'update_time' field will be required, we can find this out by running the following in a terminal :
date +%s
  1. From the same directory on the master node, run the following (please capture and send this output back to me) :
curl http://localhost:8080/solr/cbfeeds/update -d @update_title.json
  1.  Wait for 5 minutes then test loading the Triage Page from the UI.
  2. If this doesn't help, wait another 5 minutes then restart cb-enterprise or cluster services.
  3. If this issue persists, please contact VMWare Carbon Black Support.
Powered by Wolken Software