EDR: How to determine top noisy and chatty hosts and processes
search cancel

EDR: How to determine top noisy and chatty hosts and processes

book

Article ID: 291637

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

To output the top list of "noisiest" hosts, processes, and parent processes that the EDR cluster has event records for. 

Environment

  • EDR Server: 6.x and Higher

Resolution

  1. Log into the EDR server's command line (master or minions).
  2. Run on each node of the cluster (primary and minions):
Get list of "noisiest" hosts:
curl "http://127.0.0.1:8080/solr/reader/terms?terms.fl=hostname&terms=true&terms.limit=50&indent=true"

Get list of most common processes:
curl "http://127.0.0.1:8080/solr/reader/terms?terms.fl=path_full&terms=true&terms.limit=50&indent=true"

Get list of most common parent processes:
curl "http://127.0.0.1:8080/solr/reader/terms?terms.fl=parent_name&terms=true&terms.limit=50&indent=true"

Additional Information

  • If sending results to VMWare Carbon Black Technical Support, results can be piped into the Solr file directory which will be included in server diags 
    • curl "http://127.0.0.1:8080/solr/reader/terms?terms.fl=hostname&terms=true&terms.limit=50&indent=true" > "/var/log/cb/solr/$(hostname)_noisy_hosts.txt"
  • Commands above will return the top 50 of each category. To view more results, update limit=50 to the desired number
  • These queries can be used to determine Ingress filtering candidates
  • If this information is needed for a cloud instance please open a support case
Powered by Wolken Software