CB Response: First watchlist prevents new alerts from watchlist hits because of excessive time processing

CB Response: First watchlist prevents new alerts from watchlist hits because of excessive time processing

search cancel

CB Response: First watchlist prevents new alerts from watchlist hits because of excessive time processing

book

Article ID: 289131

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

New watchlists that take a long time to process data over ALL TIME cause massive delays in SOLR processing and alert generation.

Environment

CB Response Server: Version 7.0.1 and Lower

Cause

This was identified as a defect (CB-29549) in the way watchlists are first processed.

Resolution

Upgrade the CB Response Server to 7.1.0-SVR version, which includes the fix for the defect.

Additional Information

The defect fix was to add a new cb.conf value:
- WatchlistSearchTimeoutStepS (defaulted to 3600s) which basically means that if a watchlist takes more than WatchlistTimeoutS (default as 120s) then the query will be executed in steps from start date in interval of WatchlistSearchTimeoutStepS (usually 3600)

Feedback

thumb_up Yes

thumb_down No