EDR: Why does the 3 day search not return events?
search cancel

EDR: Why does the 3 day search not return events?

book

Article ID: 287937

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Why does the 3 day search not return events but those events are seen with the 1 week search?

Environment

  • EDR (formerly Response) Server: 6.x and above

Resolution

Design logic for optimizing searches can cause unexpected results when sensors are offline for a long time or backlog is large

Additional Information

  • Process searches use time ranges to narrow down the cores that are searched to help optimize search returns. This is done by the last_server_update field internally. last_update from the endpoint and last_server_update do not have to be the same but can lead to the discrepancy   seen with the time range searches. 
  • Searching All Time would not be prone to this, however should be used in rare cases
Powered by Wolken Software