EDR: When Searching Domain Type in Threat Intelligence Pages a Red Error Displays
search cancel

EDR: When Searching Domain Type in Threat Intelligence Pages a Red Error Displays

book

Article ID: 287995

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response) Carbon Black Hosted EDR (formerly Cb Response Cloud)

Issue/Introduction

When doing a search in Threat Intelligence page that contains two dots (.) a red message will pop up with a 500 server error. 

Environment

  • EDR Console: 7.7.0 and Above

Cause

The schema for the cbfeeds Solr core was updated and the already existing feed data is still on the old schema

Resolution

 

  1. Stop the services: EDR: How to Start, Stop and Restart EDR Application Services
  2. Backup the old feed core 
    mv /var/cb/data/solr/cbfeeds /var/cb/cbfeeds_backup
  3. Generate a new feed core 
    /usr/share/cb/virtualenv/bin/python -m cb.maintenance.cbstartup.main --stage startup
  4. Start only these services 
    /usr/share/cb/cbservice cb-redis start
/usr/share/cb/cbservice cb-solr start
  5. Run the indexer to ingest the data from the back up core to the new schema 
    /usr/share/cb/cb-solr-reindexer --solr-port 8080 --solr-address 127.0.0.1 cbfeeds /var/cb/cbfeeds_backup/data/index
  6. Stop the running services 
    /usr/share/cb/cbservice cb-solr stop
/usr/share/cb/cbservice cb-redis stop
  7. Start the EDR application services
  8. Verify the feeds are displaying in the console and the search is now working. Remove the backup file 
    rm -rf /var/cb/cbfeeds_backup

 

Additional Information

  • This can take several minutes to complete the reindexing. Approximately 1 minute per 1 million documents. 
Powered by Wolken Software