EDR: How to Pull Watchlist Alerts From Solr
search cancel

EDR: How to Pull Watchlist Alerts From Solr

book

Article ID: 289519

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Pull related alerts for a watchlist

Environment

  • EDR Server: All Supported Versions

Resolution

  1. Open an SSH session to the EDR Master server
  2. Get the affected watchlist's ID. Substitute watchlist_name with the name of the watchlist in the UI 
    • psql cb -p 5002 -c "select id from watchlist_entries where name='watchlist_name'"
  3. Pull the alerts for the watchlist. Substitute id with the ID from step 2 
    • curl 'http://127.0.0.1:8080/solr/cbalerts/select?q=watchlist_id%3Aid&wt=json&indent=true'

Additional Information

  • Query will return the first 10 results. To return more results, add '&rows=<number_of_rows>' after '&indent=true' 
    • curl 'http://127.0.0.1:8080/solr/cbalerts/select?q=watchlist_id%3Aid&wt=json&indent=true&rows=20'
  • Additional settings like creation time can be added to the query in URL encoding format. This will pull all alerts starting at 07/01/2019
curl 'http://127.0.0.1:8080/solr/cbalerts/select?q=watchlist_id%3Aid+AND+created_time%3A\[2019-07-01T00%3A00%3A00.000Z+TO+*\]&wt=json&indent=true'

 
Powered by Wolken Software