CB Response: How To Disable Fuzzy Facets
search cancel

CB Response: How To Disable Fuzzy Facets

book

Article ID: 290658

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Explain how to disable fuzzy facets (search fuzzing) when necessary

Environment

  • CB Response Server: 6.2.x and Higher
  • Linux: All Supported Versions

Resolution

WARNING: Disabling Fuzzy Facets in environments with a lot of events will likely have performance impact during facet loading

  1. Open /etc/cb/cb.conf
  2. Locate the Fuzzy Facets flag
    CoreServicesEnableFuzzyProcessFacets=True
  3. Update the value from True to False
    CoreServicesEnableFuzzyProcessFacets=False
  4. Save changes to /etc/cb/cb/conf
  5. Restart services
    service cb-enterprise restart

Additional Information

  • Fuzzy facets improve performance of returning search results, but can require more specific searches to return the desired results reliably
  • With fuzzy facets turned on the Filters portion of the Process Search page may not display all expected values or options unless more specific search terms are used
    • process_name:svchost.exe may only show a Parent of services.exe in the left-hand filters
    • process_name:svchost.exe -parent_name:services.exe may show no additional Parent options but still a large estimated count of results
    • process_name:svchost.exe parent_name:* -parent_name:services.exe would yield additional Parent processes and a more accurate estimated count