You can review a time-boxed collection of events that meet certain characteristics, either on a regular basis or one time.

For example, you can review the executable files that are most often accessed in your organization and determine which ones need to be approved to expedite movement to High Enforcement. You can use filters and Saved Views to specify the events you want to review, but if you have a particularly large number of events or a complex set of filters, fetching these events for viewing can be time consuming and possibly cause the server to time out.

To make the review of a set of events more efficient, Carbon Black App Control allows you to cache the events in a custom Saved View. Cache requests are queued for overnight processing (beginning at approximately 12:30AM local time), when there is less likely to be a load on the server.

The results of cache processing appear as a new, named view on the Cached Events page (separate from the Events page). Because these events are in a cache rather than being fetched from the database in real time, access and further filtering of the cached view is much faster. After you request an event cache, the view you defined is used to create a new cache every night until you remove it from the Cached Events page.

The time period covered by the events in a cache depends on several factors:

  • Any time periods you define are based on when the event was recorded on the server (the server “timestamp”), not on when an event occurred on an endpoint.
  • If no other time constraints are defined, the cache includes events recorded on the server up to the time the cache processing begins. For example, if you click the Cache button at 4PM and processing begins at 12:30AM the following day, all events prior to 12:30AM are included.
  • If you specify beginning and ending timestamp filters in the view you cache, these filters determine the events that are included in the cache. However, event pruning can remove older events that are included in your timestamp filter period. See Managing the App Control Event Database.
  • If you include a Max Age property for the view, the cache includes events recorded on the server up to the time the cache processing begins.and going back for whatever time period you choose. For example, if you set Max Age to 1 Day, the resulting event cache includes all events from 12:30AM yesterday to 12:30AM today. Each successive processing deletes the oldest day and adds the latest day to the results.