CB Response: Watchlist is Hitting Some But Not All the Qualified Watchlist Hits
Article ID: 289282
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
A watchlist is recording hits but some behavior that should be hitting the watchlist doesn't get hit
Environment
CB Response: 6.1.x and Higher
Cause
Watchlists have a maximum of 100 hits by default
Resolution
- While logged in as root user
- Edit the /etc/cb/cb.conf file
- Add WatchlistSearchMaxTags=<Value>
- Save the settings
- Restart the services following this
Additional Information
- If watchlists are getting more hits than this, then it's recommended to narrow down the behavior they monitor
- This value can be increased but it's not recommended to go past 200
- The watchlist will only hit once on the same running process for the same behavior in order to limit noise
Feedback
Yes
No
Powered by
