This section describes general settings in the cb.conf file for Carbon Black EDR server. CbUserDefines the user account with which the Carbon Black EDR services are run. CbGroupThis setting defines the Linux group with which the Carbon Black EDR services are run. CbFileDescriptorLimitBy default, CentOS allows only 1024 file descriptors per process. This number is too low for Carbon Black EDR. CbLicenseFileThis setting specifies the path to the Carbon Black EDR server license file. CbServerTokenFileThis parameter specifies a random hexadecimal string that uniquely identifies this Carbon Black EDR server installation. ClusterMembershipThis parameter indicates whether this server node is part of a cluster. ClusterNodeIdThis parameter is a server node unique identifier. CbJavaHomeCarbon Black EDR requires JRE version 1.8.0 or higher for EL6, or 1.11.0 or higher for EL7 or EL8. EventForwarderEnabledWith the release of Carbon Black EDR 7.1.0 server, admins can customize the Event Forwarder from directly within the Carbon Black EDR console. FeedSyncEnforceQueryLimitsConfigurable as True or False. This field dictates whether to enforce a limit on the number of Watchlist queries per Threat Intelligence Feed and in total across all Threat Intelligence Feeds (Global). FeedSyncGlobalQueryLimitIf FeedSyncEnforceQueryLimits is set to True, this field limits the total number of Watchlists that can be created across all Threat Intelligence Feeds to the configured value. FeedSyncPerFeedQueryLimitIf FeedSyncEnforceQueryLimits is set to True, this field limits the number of Watchlists that can be created per Threat Intelligence Feed to the configured value. ManageFirewallThis parameter indicates whether the Carbon Black EDR server setup tools manage the configuration of a firewall on behalf of the user. ManageIptablesRemoved from version 6.2.3. CbShutdownKillJobsTimeoutThe time in seconds before killing cb cron jobs when cb-enterprise is shut down. CoreServicesEnableProfilingSpecifies whether to enable profiler on start. Valid values for this property are Off , CpuTicks , and WallClock . CoreServicesEnableApiProfilingThis parameter specifies whether detailed API profiling is enabled. CoreServicesSmallScaleSensorCountIf the number of currently active sensors is less than this value, the sensor check-in interval is always 30 seconds. If it is greater, Carbon Black EDR calculates a dynamic check-in interval. CoreServicesMaxCheckinIntervalThis setting configures the maximum interval, in seconds, between successive sensor check-ins from a single sensor. CoreServicesEnableProcessFacetsThis parameter enables or disables all console facets (small graphic data displays) on the Search Processes page. CoreServicesEnableBinaryFacetsThis parameter enables or disables all console facets (small graphic data displays) on the Search Binaries page. CoreServicesDisabledProcessFacetsThis parameter disables specified console facets (small graphic data displays at the top of the page) on the Search Processes page. CoreServicesDisabledBinaryFacetsThis parameter disable specified console facets (small graphic data displays at the top of the page) on the Search Binaries page. CoreServicesMaxFacetThreadsThis setting configures the maximum number of threads used for console facets. The default of None disables facet threading. CoreServicesEnableFuzzyProcessFacetsThis parameter enables and disables the use of statistical sampling for calculating the terms in facets. This provides significantly improved runtime performance and reduced memory usage. CoreServicesFuzzyProcessFacetsThresholdThis is one of two parameters that determine whether fuzzy faceting will start, if enabled by CoreServicesEnableFuzzyProcessFacets. CoreServicesFuzzyProcessFacetsSamplingPercThis is one of two parameters that determine whether fuzzy faceting will start, if enabled by CoreServicesEnableFuzzyProcessFacets. CoreServicesEnableFuzzyBinaryFacetsThis parameter enables and disables the use of statistical sampling for calculating the terms in binary facets. This provides significantly improved runtime performance and reduced memory usage. CoreServicesFuzzyBinaryFacetsThresholdThis is one of two parameters that determine whether fuzzy faceting of binary facets will start, if enabled by CoreServicesEnableFuzzyBinaryFacets. CoreServicesFuzzyBinaryFacetsSamplingPercThis is one of two parameters that determine whether fuzzy faceting of binary facets will start, if enabled by CoreServicesEnableFuzzyBinaryFacets. CoreServicesEnableFuzzyAlertFacetsThis parameter enables and disables the use of statistical sampling for calculating the terms in alert facets. This provides significantly improved runtime performance and reduced memory usage. CoreServicesFuzzyAlertFacetsThresholdThis is one of two parameters that determine whether fuzzy faceting of alert facets will start, if enabled by CoreServicesEnableFuzzyAlertFacets. CoreServicesFuzzyAlertFacetsSamplingPercThis is one of two parameters that determine whether fuzzy faceting of alert facets will start, if enabled by CoreServicesEnableFuzzyAlertFacets. CoreServicesEnableFuzzyFeedFacetsThis parameter enables and disables the use of statistical sampling for calculating the terms in feed facets. This provides significantly improved runtime performance and reduced memory usage. CoreServicesFuzzyFeedFacetsThresholdThis is one of two parameters that determine whether fuzzy faceting of feed facets will start, if enabled by CoreServicesEnableFuzzyFeedFacets. CoreServicesFuzzyFeedFacetsSamplingPercThis is one of two parameters that determine whether fuzzy faceting of feed facets will start, if enabled by CoreServicesEnableFuzzyFeedFacets. CoreServicesEventlogBytesCapThis parameter sets the upper limit on the aggregate number of bytes that can be uploaded by a group of sensors that will check-in during the next monitoring interval. CoreServicesMaxEventlogBytesPerSensorThis parameter sets the maximum number of bytes a sensor can push per check-in. SensorMaxUpgradeRateThis parameter sets the maximum auto-upgrades per hour. CoreServicesProcessSearchOrderThis parameter sets the sort order of process search results as seen in the console. CoreServicesBinarySearchOrderThis parameter sets the sort order of binary search results as seen in the console. CoreServicesProcessSearchPageSizeThis parameter sets the number of matching process documents that display on each page in the Search Processes page in the console. CoreServicesBinarySearchPageSizeThis parameter sets the number of matching binary documents that display on each page in the Search Binaries page in the console. CoreServicesProcessAutocompleteThis parameter sets the backend method for the auto-complete function for search queries that are entered in the Search Processes page. CoreServicesBinaryAutocompleteThis parameter sets the backend method for the auto-complete function for search queries that are entered in the Search Binaries page. TimestampDeltaThresholdThis parameter sets the time (in seconds) used as a threshold for identifying sensors with unsynchronized clocks. CoreServicesPidFileThis setting contains the current process ID of the coreservices daemon. SensorInstallerDirThis parameter specifies the directory path for sensor installers on Windows. SensorInstallerDirOsxThis parameter specifies the directory path for sensor installers on macOS. SensorInstallerDirLinuxThis parameter specifies the directory path for sensor installers on Linux. EmailNotificationsFromAddressThis parameter configures email from the address for watchlist and feed notifications. FlaskSecretThis required value is a random string of ASCII-printable characters. FailedLogonLockoutCountThis parameter sets the number of times a user can fail authentication before the account is locked. AccountUnlockIntervalThis parameter sets the number of minutes after which a locked account unlocks. UserActivityQuotaCarbon Black EDR logs all user authentication in the PostgreSQL database. This setting defines the minimum number of authentication records that are kept. UserActivityQuotaDeltaThis parameter defines when to start trimming the number of user authentication records. It is a percentage of UserActivityQuota. SolrQueryExecutionQuotaThis parameter sets the total number of records retained in the SQL table SolrQueryExecution, which records expensive queries. SolrQueryRecorderDurationThresholdMsThis parameter controls recording of slow Solr queries by setting a threshold on the execution time (in milliseconds) that are allowed for recording slow queries. SolrQueryRecorderTopLevelOnlyWhen True, record only top-level Solr queries. Queries on individual cores (including minions) are not recorded. AllianceClientPidFileThis parameter sets the path to the PID file used for the Carbon Black EDR Alliance client service control. AllianceSyncIntervalSecsThis parameter sets the time (in seconds) between periodic connection attempts to the Carbon Black EDR Alliance server. AllianceURLThis parameter sets the URL of the Carbon Black EDR Alliance server. DatastoreJvmMaxThis parameter sets the maximum amount of RAM to be used for the JVM’s memory heap. DatastoreEventCoreClientThreadsThis parameter sets the number of worker threads that process data from the throttle queue and insert it into Solr. DatastoreAllowUnregisteredSensorThis parameter controls whether the datastore accepts data from a sensor that has not been registered with a Carbon Black EDR server. DatastoreShutdownTimeoutThis parameter sets the number of seconds to wait (when the datastore is being stopped) for all buffers and cached data to be cleanly written to disk. After this time, if the service is still running, it is forcibly stopped. DatastoreDisableJMXRemoteThis parameter allows external Java management or a debugging process on the local machine to communicate with the datastore. DisableDatastoreCacheSee SmallDeploymentMode for equivalent functionality. SmallDeploymentModeIf set to True , this option disables datastore caching and causes Solr to commit process document updates within 15 seconds. This option trades performance for reduced latency. DatastoreDbPoolSizeThis parameter sets the maximum database connections from a single datastore instance. IngresScannerEventProcessorDirThis parameter sets the location of ingress scanner event processor libs and configuration. EnableProcessMD5FeedHitsIf True (the default), ingress and subsequent storage feed hits triggered by MD5 of the process are enabled. EnableProcessSHA256FeedHitEventsIf True (the default), ingress and subsequent storage feed hits triggered by the SHA-256 of the process are enabled. FeedHitMinScoreThis parameter sets the cap on the minimum feed hit score that triggers a feed hit event. FeedHitMinScore<XXXXX>This parameter sets the cap on the minimum feed hit score that triggers a feed hit event for a specific feed , where 'XXXXX’ is the feed_name attribute of the feed obtaining the special value. FeedNotificationsRateLimiterEnabledThis parameter enables limiting of feed hit notification rate using a limit specified by FeedNotificationsRateLimit for a period specified by FeedNotificationsRateLimitDuration. FeedNotificationsRateLimitThis parameter specifies the maximum number of feed hit notifications that can be sent for a given feed within a period that is specified by FeedNotificationsRateLimitDuration. FeedNotificationsRateLimitDurationThis parameter specifies the duration in hours for which the FeedNotificationsRateLimit value is valid. EventStoreSolrCoreThis parameter is no longer used. ModInfoStoreSolrCoreThis parameter sets the name of the Solr core to be used for module information storage. ModInfoStoreFlushIntervalThis parameter sets the time interval, in milliseconds, with which buffered module information events are pushed to the module information Solr core. PgSqlDataDirThis parameter sets the location of the PostgreSQL data directory. PgSqlPidFileThis parameter sets the path to the PID file, which is used for cb-pgsql service control. PgSqlLogfilePathSets the path to the cb-pgsql startup log file. PgSqlHostSets the network interfaces on which cb-pgsql listens. PgSqlPortSets the port on which cb-pgsql listens. DatabaseURLThis parameter sets the SQLAchemy database URL that connects with PostgreSQL. ModstorePathThis parameter sets the flat-file storage location for module file storage. CoreServicesMaxEventResultsPerProcessThis parameter sets the maximum number of events to return from the /process/ <guid> / <segment> /event API. CoreServicesMaxSegmentsPerProcessThis parameter sets the maximum number of segments to return from / process/ <guid> /0/preview, /process/ <guid> /0, /process/ <guid> /0/report WatchlistSearchMaxTagsThis parameter determines the number of tags to set in a single watchlist search. SearchRestrictFirstSegmentThis parameter determines whether to use special logic to restrict searches only at segment_id:1 as long as the query does not contain event fields. SearchUseTerminatedOnCountsThis parameter adds accuracy for queries that use event count fields (for example, filemod_count, netconn_count) with immutable documents, which are the default in version 6.1. ModulesCacheMemoryPercentThis parameter sets the percent of memory to be used in the datastore for the module partition cache structures. ModulesCacheWritePeriodSecsThis parameter sets the frequency (in seconds) for writing out partition updates to modules that Carbon Black EDR observes. ModulesRecentCacheTimeoutMultiplierThis parameter sets a multiplier that is used in combination with ModulesCacheWritePeriodSecs to determine how long the cache of recently observed md5 values are held in memory. For example, if the defaults are used, the timeout is 4x30=120 seconds. ForceComprehensiveSearchThis parameter determines whether to automatically run comprehensive search when needed, without confirming with the user. ForceBlockLeadingWildcardsInSearchToThis paramter determines whether process searches with leading wildcards that can cause performance problems are always blocked, always allowed, or can be configured through the console. ForceBlockCoreJoinsInSearchToThis parameter determines whether process searches that have joins of large module cores that can cause performance issues are always blocked, always allowed, or can be configured through the console. ModuleCoreDocumentCountWarningThresholdFor process searches with binary joins, this parameter sets the number of module core documents that is considered large enough to cause potential performance problems. DefaultSolrTimeoutSSolr timeout (in seconds) for all UI and API queries. RebuildEventSuggestersMinsFrequency (in minutes) for rebuilding event suggesters. RebuildEventSuggestersTimeoutSTimeout (in seconds) for event suggesters rebuilds. RebuildModuleSuggestersMinsFrequency (in minutes) for rebuilding module suggesters. RebuildModuleSuggestersTimeoutSTimeout (in seconds) for module suggesters rebuilds. WatchlistSearchTimeoutSSolr timeout (in seconds) for all feed/watchlist queries. CbDiagTmpDirThis parameter specifies the location to write cbdiags data. ShowGdprBannerThis parameter controls the state of the EU Data Sharing Banner, which can be displayed at the top of each console page to caution users about sharing data. YaraManagerEnabledSet this parameter to True to enable Yara Manager control in the Carbon Black EDR console. YaraManagerTokenSet this parameter to match the authentication token/keyword that is set for Yara Manager authentication in /etc/cb/integrations/cb-yara-manager/auth.conf.