All clusters added to Carbon Black EDR Unified View are potentially available (connected) for global process and binary searches.
Several factors determine which clusters are available for searches and single-cluster views. Some factors affect allCarbon Black EDR Unified View users, and some are specific to individual users:
-
Was the cluster added to Carbon Black EDR Unified View? – On the Cluster Management page, a cluster must be configured for connection to Carbon Black EDR Unified View by an administrator before it becomes available. See Add Clusters.
-
Is the cluster connection enabled for this Carbon Black EDR Unified View server? – On the Cluster Management page, administrators can temporarily disconnect a cluster for all users without deleting it. This prevents its data from being available in searches and also presents access via single-cluster view. Temporarily removing a cluster from searches can be helpful in certain situations, such as when you need to improve performance during heavy usage periods, to perform scheduled maintenance on a cluster, or to narrow searches to a particular set of clusters. See Cluster Connection Status.
-
Is the cluster connection enabled for this user? – On the My Profile/My Cluster page, individual users can enable and disable inclusion of available clusters in their searches. See Select Clusters for Personal Global Searches.
-
What permissions does the API token provide on the cluster? – The API token specifies the cluster user whose permissions are used for access to that cluster. If the cluster is configured to use a shared token for all users, that API token is specified on the Cluster Management page. If the cluster is set up to use individual tokens for each user, the token is specified on the user’s My Profile/My Clusters page.
For a Carbon Black EDR Unified View user to have access to cluster data, the user whose API token is used for authentication must have access to that data. Cluster user accounts can be set up to give the user access to some sensor groups and not others. In this case, only data from the permitted sensor groups can be searched by the Carbon Black EDR Unified View user authenticated through that API token. See the Carbon Black EDR User Guide for details on user permissions and sensor groups.