Cb Response: How to determine which endpoints are most frequently generating unique binaries
search cancel

Cb Response: How to determine which endpoints are most frequently generating unique binaries

book

Article ID: 288101

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Determine which endpoints in the Cb Response cluster are generating the largest volume of unique binaries. 

Environment

  • Cb Response: 6.x and Higher

Resolution

  1. On the CLI of the master server, run:
# curl "http://localhost:8080/solr/cbmodules/select?q=host_count:1&wt=xml&indent=true&facet=true&facet.field=hostname&rows=0"

 

Additional Information

  • The output will provide the top 100 hosts generating the largest volume of unique binaries.
  • The output should look similar to:
<?xml version="1.0" encoding="UTF-8"?>
<response>

<lst name="responseHeader">
  <int name="status">0</int>
  <int name="QTime">0</int>
  <lst name="params">
    <str name="q">host_count:1</str>
    <str name="facet.field">hostname</str>
    <str name="indent">true</str>
    <str name="rows">0</str>
    <str name="wt">xml</str>
    <str name="facet">true</str>
  </lst>
</lst>
<result name="response" numFound="1520" start="0">
</result>
<lst name="facet_counts">
  <lst name="facet_queries"/>
  <lst name="facet_fields">
    <lst name="hostname">
      <int name="myCbRserver">1512</int>
      <int name="localhost">8</int>
    </lst>
  </lst>
  <lst name="facet_dates"/>
  <lst name="facet_ranges"/>
  <lst name="facet_intervals"/>
  <lst name="facet_heatmaps"/>
</lst>
</response>

 
Powered by Wolken Software