This section describes general settings in the cb.conf file for Carbon Black EDR server. AccountUnlockIntervalThis parameter sets the number of minutes after which a locked account unlocks. AllianceClientPidFileThis parameter sets the path to the PID file used for the Carbon Black EDR Alliance client service control. AllianceSyncIntervalSecsThis parameter sets the time (in seconds) between periodic connection attempts to the Carbon Black EDR Alliance server. AllianceURLThis parameter sets the URL of the Carbon Black EDR Alliance server. CbDiagTmpDirThis parameter specifies the location to write cbdiags data. CbFileDescriptorLimitBy default, CentOS allows only 1024 file descriptors per process. This number is too low for Carbon Black EDR. CbGroupThis setting defines the Linux group with which the Carbon Black EDR services are run. CbLicenseFileThis setting specifies the path to the Carbon Black EDR server license file. CbJavaHomeCarbon Black EDR requires JRE version 1.8.0 or higher for EL6, or 1.11.0 or higher for EL7 or EL8. CbServerTokenFileThis parameter specifies a random hexadecimal string that uniquely identifies this Carbon Black EDR server installation. CbShutdownKillJobsTimeoutThe time in seconds before killing cb cron jobs when cb-enterprise is shut down. CbUserDefines the user account with which the Carbon Black EDR services are run. ClusterMembershipThis parameter indicates whether this server node is part of a cluster. ClusterNodeIdThis parameter is a server node unique identifier. CoreServicesBinaryAutocompleteThis parameter sets the backend method for the auto-complete function for search queries that are entered in the Search Binaries page. CoreServicesBinarySearchOrderThis parameter sets the sort order of binary search results as seen in the console. CoreServicesBinarySearchPageSizeThis parameter sets the number of matching binary documents that display on each page in the Search Binaries page in the console. CoreServicesDisabledBinaryFacetsThis parameter disable specified console facets (small graphic data displays at the top of the page) on the Search Binaries page. CoreServicesDisabledProcessFacetsThis parameter disables specified console facets (small graphic data displays at the top of the page) on the Search Processes page. CoreServicesEnableApiProfilingThis parameter specifies whether detailed API profiling is enabled. CoreServicesEnableBinaryFacetsThis parameter enables or disables all console facets (small graphic data displays) on the Search Binaries page. CoreServicesEnableFuzzyAlertFacetsThis parameter enables and disables the use of statistical sampling for calculating the terms in alert facets. This provides significantly improved runtime performance and reduced memory usage. CoreServicesEnableFuzzyBinaryFacetsThis parameter enables and disables the use of statistical sampling for calculating the terms in binary facets. This provides significantly improved runtime performance and reduced memory usage. CoreServicesEnableFuzzyFeedFacetsThis parameter enables and disables the use of statistical sampling for calculating the terms in feed facets. This provides significantly improved runtime performance and reduced memory usage. CoreServicesEnableFuzzyProcessFacetsThis parameter enables and disables the use of statistical sampling for calculating the terms in facets. This provides significantly improved runtime performance and reduced memory usage. CoreServicesEnableProcessFacetsThis parameter enables or disables all console facets (small graphic data displays) on the Search Processes page. CoreServicesEnableProfilingSpecifies whether to enable profiler on start. Valid values for this property are Off , CpuTicks , and WallClock . CoreServicesEventlogBytesCapThis parameter sets the upper limit on the aggregate number of bytes that can be uploaded by a group of sensors that will check-in during the next monitoring interval. CoreServicesFuzzyAlertFacetsSamplingPercThis is one of two parameters that determine whether fuzzy faceting of alert facets will start, if enabled by CoreServicesEnableFuzzyAlertFacets. CoreServicesFuzzyAlertFacetsThresholdThis is one of two parameters that determine whether fuzzy faceting of alert facets will start, if enabled by CoreServicesEnableFuzzyAlertFacets. CoreServicesFuzzyBinaryFacetsSamplingPercThis is one of two parameters that determine whether fuzzy faceting of binary facets will start, if enabled by CoreServicesEnableFuzzyBinaryFacets. CoreServicesFuzzyBinaryFacetsThresholdThis is one of two parameters that determine whether fuzzy faceting of binary facets will start, if enabled by CoreServicesEnableFuzzyBinaryFacets. CoreServicesFuzzyFeedFacetsSamplingPercThis is one of two parameters that determine whether fuzzy faceting of feed facets will start, if enabled by CoreServicesEnableFuzzyFeedFacets. CoreServicesFuzzyFeedFacetsThresholdThis is one of two parameters that determine whether fuzzy faceting of feed facets will start, if enabled by CoreServicesEnableFuzzyFeedFacets. CoreServicesFuzzyProcessFacetsSamplingPercThis is one of two parameters that determine whether fuzzy faceting will start, if enabled by CoreServicesEnableFuzzyProcessFacets. CoreServicesFuzzyProcessFacetsThresholdThis is one of two parameters that determine whether fuzzy faceting will start, if enabled by CoreServicesEnableFuzzyProcessFacets. CoreServicesMaxCheckinIntervalThis setting configures the maximum interval, in seconds, between successive sensor check-ins from a single sensor. CoreServicesMaxEventlogBytesPerSensorThis parameter sets the maximum number of bytes a sensor can push per check-in. CoreServicesMaxEventResultsPerProcessThis parameter sets the maximum number of events to return from the /process/ <guid> / <segment> /event API. CoreServicesMaxFacetThreadsThis setting configures the maximum number of threads used for console facets. The default of None disables facet threading. CoreServicesMaxSegmentsPerProcessThis parameter sets the maximum number of segments to return from / process/ <guid> /0/preview, /process/ <guid> /0, /process/ <guid> /0/report CoreServicesPidFileThis setting contains the current process ID of the coreservices daemon. CoreServicesProcessAutocompleteThis parameter sets the backend method for the auto-complete function for search queries that are entered in the Search Processes page. CoreServicesProcessSearchOrderThis parameter sets the sort order of process search results as seen in the console. CoreServicesProcessSearchPageSizeThis parameter sets the number of matching process documents that display on each page in the Search Processes page in the console. CoreServicesSmallScaleSensorCountIf the number of currently active sensors is less than this value, the sensor check-in interval is always 30 seconds. If it is greater, Carbon Black EDR calculates a dynamic check-in interval. DatabaseURLThis parameter sets the SQLAchemy database URL that connects with PostgreSQL. DatastoreAllowUnregisteredSensorThis parameter controls whether the datastore accepts data from a sensor that has not been registered with a Carbon Black EDR server. DatastoreDbPoolSizeThis parameter sets the maximum database connections from a single datastore instance. DatastoreDisableJMXRemoteThis parameter allows external Java management or a debugging process on the local machine to communicate with the datastore. DatastoreEventCoreClientThreadsThis parameter sets the number of worker threads that process data from the throttle queue and insert it into Solr. DatastoreJvmMaxThis parameter sets the maximum amount of RAM to be used for the JVM’s memory heap. DatastoreShutdownTimeoutThis parameter sets the number of seconds to wait (when the datastore is being stopped) for all buffers and cached data to be cleanly written to disk. After this time, if the service is still running, it is forcibly stopped. DefaultSolrTimeoutSSolr timeout (in seconds) for all UI and API queries. DisableDatastoreCacheSee SmallDeploymentMode for equivalent functionality. EmailNotificationsFromAddressThis parameter configures email from the address for watchlist and feed notifications. EnableProcessMD5FeedHitsIf True (the default), ingress and subsequent storage feed hits triggered by MD5 of the process are enabled. EnableProcessSHA256FeedHitEventsIf True (the default), ingress and subsequent storage feed hits triggered by the SHA-256 of the process are enabled. EventForwarderContainerAddressThis value indicates the name of the containerized Event Forwarder server. This parameter is required to identify a route between the containerized Carbon Black EDR server and the containerized Event Forwarder server. EventForwarderContainerPortThis value indicates the port upon which the containerized Event Forwarder server is listening for connections from the containerized Carbon Black EDR server. EventForwarderEnabledWith the release of Carbon Black EDR Server 7.1.0, admins can customize the Event Forwarder from directly within the Carbon Black EDR console. EventStoreSolrCoreThis parameter is no longer used. FailedLogonLockoutCountThis parameter sets the number of times a user can fail authentication before the account is locked. FeedHitMinScoreThis parameter sets the cap on the minimum feed hit score that triggers a feed hit event. FeedHitMinScore<XXXXX>This parameter sets the cap on the minimum feed hit score that triggers a feed hit event for a specific feed , where 'XXXXX’ is the feed_name attribute of the feed obtaining the special value. FeedNotificationsRateLimitThis parameter specifies the maximum number of feed hit notifications that can be sent for a given feed within a period that is specified by FeedNotificationsRateLimitDuration. FeedNotificationsRateLimitDurationThis parameter specifies the duration in hours for which the FeedNotificationsRateLimit value is valid. FeedNotificationsRateLimiterEnabledThis parameter enables limiting of feed hit notification rate using a limit specified by FeedNotificationsRateLimit for a period specified by FeedNotificationsRateLimitDuration. FeedSyncEnforceQueryLimitsConfigurable as True or False. This field dictates whether to enforce a limit on the number of Watchlist queries per Threat Intelligence Feed and in total across all Threat Intelligence Feeds (Global). FeedSyncGlobalQueryLimitIf FeedSyncEnforceQueryLimits is set to True, this field limits the total number of Watchlists that can be created across all Threat Intelligence Feeds to the configured value. FeedSyncPerFeedQueryLimitIf FeedSyncEnforceQueryLimits is set to True, this field limits the number of Watchlists that can be created per Threat Intelligence Feed to the configured value. FlaskSecretThis required value is a random string of ASCII-printable characters. ForceBlockCoreJoinsInSearchToThis parameter determines whether process searches that have joins of large module cores that can cause performance issues are always blocked, always allowed, or can be configured through the console. ForceBlockLeadingWildcardsInSearchToThis paramter determines whether process searches with leading wildcards that can cause performance problems are always blocked, always allowed, or can be configured through the console. ForceComprehensiveSearchThis parameter determines whether to automatically run comprehensive search when needed, without confirming with the user. IngresScannerEventProcessorDirThis parameter sets the location of ingress scanner event processor libs and configuration. ManageFirewallThis parameter indicates whether the Carbon Black EDR server setup tools manage the configuration of a firewall on behalf of the user. ManageIptablesRemoved from version 6.2.3. ModInfoStoreFlushIntervalThis parameter sets the time interval, in milliseconds, with which buffered module information events are pushed to the module information Solr core. ModInfoStoreSolrCoreThis parameter sets the name of the Solr core to be used for module information storage. ModstorePathThis parameter sets the flat-file storage location for module file storage. ModulesCacheMemoryPercentThis parameter sets the percent of memory to be used in the datastore for the module partition cache structures. ModulesCacheWritePeriodSecsThis parameter sets the frequency (in seconds) for writing out partition updates to modules that Carbon Black EDR observes. ModulesRecentCacheTimeoutMultiplierThis parameter sets a multiplier that is used in combination with ModulesCacheWritePeriodSecs to determine how long the cache of recently observed md5 values are held in memory. For example, if the defaults are used, the timeout is 4x30=120 seconds. ModuleCoreDocumentCountWarningThresholdFor process searches with binary joins, this parameter sets the number of module core documents that is considered large enough to cause potential performance problems. PgSqlDataDirThis parameter sets the location of the PostgreSQL data directory. PgSqlHostSets the network interfaces on which cb-pgsql listens. PgSqlLogfilePathSets the path to the cb-pgsql startup log file. PgSqlPidFileThis parameter sets the path to the PID file, which is used for cb-pgsql service control. PgSqlPortSets the port on which cb-pgsql listens. RebuildEventSuggestersMinsFrequency (in minutes) for rebuilding event suggesters. RebuildEventSuggestersTimeoutSTimeout (in seconds) for event suggesters rebuilds. RebuildModuleSuggestersMinsFrequency (in minutes) for rebuilding module suggesters. RebuildModuleSuggestersTimeoutSTimeout (in seconds) for module suggesters rebuilds. SearchRestrictFirstSegmentThis parameter determines whether to use special logic to restrict searches only at segment_id:1 as long as the query does not contain event fields. SearchUseTerminatedOnCountsThis parameter adds accuracy for queries that use event count fields (for example, filemod_count, netconn_count) with immutable documents, which are the default in version 6.1. SensorInstallerDirThis parameter specifies the directory path for sensor installers on Windows. SensorInstallerDirLinuxThis parameter specifies the directory path for sensor installers on Linux. SensorInstallerDirOsxThis parameter specifies the directory path for sensor installers on macOS. SensorMaxUpgradeRateThis parameter sets the maximum auto-upgrades per hour. ShowGdprBannerThis parameter controls the state of the EU Data Sharing Banner, which can be displayed at the top of each console page to caution users about sharing data. SmallDeploymentModeIf set to True , this option disables datastore caching and causes Solr to commit process document updates within 15 seconds. This option trades performance for reduced latency. SolrQueryExecutionQuotaThis parameter sets the total number of records retained in the SQL table SolrQueryExecution, which records expensive queries. SolrQueryRecorderDurationThresholdMsThis parameter controls recording of slow Solr queries by setting a threshold on the execution time (in milliseconds) that are allowed for recording slow queries. SolrQueryRecorderTopLevelOnlyWhen True, record only top-level Solr queries. Queries on individual cores (including minions) are not recorded. TimestampDeltaThresholdThis parameter sets the time (in seconds) used as a threshold for identifying sensors with unsynchronized clocks. UserActivityQuotaCarbon Black EDR logs all user authentication in the PostgreSQL database. This setting defines the minimum number of authentication records that are kept. UserActivityQuotaDeltaThis parameter defines when to start trimming the number of user authentication records. It is a percentage of UserActivityQuota. ValidateApiPayloadSchemaThis parameter enables Carbon Black EDR to validate all create (POST) and update (PUT) API requests having payload against expected Swagger schemas. The validation does not apply to requests from the Carbon Black EDR console because it is a trusted source, and thus does not compromise user experience and response time. WatchlistSearchMaxTagsThis parameter determines the number of tags to set in a single watchlist search. WatchlistSearchTimeoutSSolr timeout (in seconds) for all feed/watchlist queries. YaraManagerEnabledSet this parameter to True to enable Yara Manager control in the Carbon Black EDR console. YaraManagerTokenSet this parameter to match the authentication token/keyword that is set for Yara Manager authentication in /etc/cb/integrations/cb-yara-manager/auth.conf.
