EDR: When Searching Domain Type in Threat Intelligence Pages a Red Error Displays
book
Article ID: 287995
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Carbon Black Hosted EDR (formerly Cb Response Cloud)
Issue/Introduction
When doing a search in Threat Intelligence page that contains two dots (.) a red message will pop up with a 500 server error.
Environment
- EDR Console: 7.7.0 and Above
Cause
The schema for the cbfeeds Solr core was updated and the already existing feed data is still on the old schema
Resolution
- Stop the services: EDR: How to Start, Stop and Restart EDR Application Services
- Backup the old feed core
mv /var/cb/data/solr/cbfeeds /var/cb/cbfeeds_backup
- Generate a new feed core
/usr/share/cb/virtualenv/bin/python -m cb.maintenance.cbstartup.main --stage startup
- Start only these services
/usr/share/cb/cbservice cb-redis start
/usr/share/cb/cbservice cb-solr start
- Run the indexer to ingest the data from the back up core to the new schema
/usr/share/cb/cb-solr-reindexer --solr-port 8080 --solr-address 127.0.0.1 cbfeeds /var/cb/cbfeeds_backup/data/index
- Stop the running services
/usr/share/cb/cbservice cb-solr stop
/usr/share/cb/cbservice cb-redis stop
- Start the EDR application services
- Verify the feeds are displaying in the console and the search is now working. Remove the backup file
rm -rf /var/cb/cbfeeds_backup
Additional Information
- This can take several minutes to complete the reindexing. Approximately 1 minute per 1 million documents.
Feedback
thumb_up
Yes
thumb_down
No