A known issue in the 7.9.0 release is impacting the Windows Auth Event Logging feature. Customers who have enabled this feature in Carbon Black EDR Server version 7.9.0 may experience delays in data ingestion and reduced console performance when retrieving event data. 

The root cause has been identified as leaking threads with ingestion of the new auth event that, with time, reaches JVM resource limits and causes Carbon Black EDR to be unresponsive.

• Carbon Black EDR Server: 7.9.0

Recommended Action:

• Customers are recommended to disable the Windows Auth Event Logging feature in Carbon Black EDR Server 7.9.0 to prevent potential issues.
  https://techdocs.broadcom.com/us/en/carbon-black/edr/carbon-black-edr/7-9-0/edr-ug/endpoint-event-log-events/enable-or-disable-event-log-events.html
  
  
• A fix for this issue will be included in the upcoming 7.9.1 release. Customers are encouraged to plan for an upgrade to Carbon Black EDR Server 7.9.1 when it becomes available.
  
  

Next Steps:

• If the auth event logging feature is enabled, monitor disk usage on the primary node and overall system performance.
• If Windows Event Logging feature is enabled in Carbon Black EDR Server 7.9.0 and you are observing performance issues, Broadcom recommends disabling the Windows Event Logging feature and restarting the Carbon Black EDR (cb-enterprise) service. Please contact Broadcom Support for further assistance.

Follow Broadcom advisories for the availability of the 7.9.1 release.

We appreciate your understanding and apologize for any inconvenience this issue has caused.