EDR: Users are being blocked from using leading wildcard queries in the Console
Article ID: 289046
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- Users are being blocked from using leading wildcard queries in the Console
Environment
- EDR Server: 6.2.3 and Higher
- Queries that use leading wildcards (*)
Cause
According to the CB Response 6.2.4 Using Guide, "The use of leading wildcards in a query is not recommended unless absolutely necessary, and is blocked by default."
Resolution
To block or allow high-impact process searches:
- Log in to Cb Response as a Global Administrator (for on-premises installations) or an Administrator (for the cloud).
- In the main console menu, choose <username> > Settings.
- In the left menu on the Settings page, choose Advanced Settings.
- Check (or uncheck) the box for the search type you want to block (or unblock).
- Click the Save changes button in the lower right corner of the page.
Additional Information
- CbR Global Admin can now block interactive process searches containing leading wildcards or binary metadata in the console. These settings are enabled by default.
- Additionally, the settings may be set in cb.conf. If set in cb.conf, the UI settings are forced to a specific value, grayed out and are not configurable.
- This feature only applies to interactive searches in the console. Searches executed via the API, existing watchlists or feeds will not be impacted by these settings
- For all the Unified View Users this does not apply to Unified view either as Unified View uses the API's on the individual Clusters to query the cluster.
Feedback
Yes
No
Powered by
