Carbon Black Cloud: Data Forwarder Excludes and Includes configuration missing after adding value.
Article ID: 289100
Updated On:
Products
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
All of the endpoint.event Data Forwarder includes and excludes values are missing/removed from the Carbon Black Cloud Console after adding a new value to the Data Forwarder and saving.
Environment
- Carbon Black Cloud: Current Version
- Carbon Black Cloud API: Current Version
- Data Forwarder: Endpoint.Event
Cause
If a duplicate or blank 'NAME' value is added to the Data Forwarder configuration, the save action will remove the old configuraiton and try to reapply the whole configuraiton in bulk and throw a HTTP 400 error and zero out the configuration in the Carbon Black Cloud Console.
Resolution
Current workaround is to validate that the 'NAME' value being added is unique and not blank for all additional queries added to the includes or excludes fields.
Additional Information
- Best practices suggest that you backup the Data Forwarder configurations via the API to allow re-installation of the "lask known good" config.
- Adding new values via the Carbon Black Cloud console has input validation that will prevent duplicate/empty NAME label entries and is the recommended method
Feedback
Yes
No
Powered by
