Audit and Remediation: How long does a query take to run?

Audit and Remediation: How long does a query take to run?

Environment

  • Carbon Black Cloud Console: 0.38 Release and higher
    • Audit and Remediation
  • Carbon Black Cloud Linux Sensor: 2.3.x.x and Higher
  • Carbon Black Cloud macOS Sensor: 3.3.x.x and Higher
  • Carbon Black Cloud Windows Sensor: 3.3.x.x and Higher

Question

How long does a query take to run after it's been executed?

Answer

The time a query takes to return results is variable depending on several factors. It could take a few seconds, to several minutes or more. This is expected behavior.

Additional Notes

  • All communication between the Sensor and Console is initiated by the Sensor
  • All actions taken in the Console are queued as hints for Sensors to pick up and act upon during regular check-in intervals
  • No action taken in the Console is a command or sent in real-time
  • Live Query result response speeds can depend on several factors:
    • Other events on the sensor may have send priority above returning Live Query results.
    • Queries that are compute intensive ( such as selecting all hashes from a computer, selecting all files from the C drive) will take a long time to return results in most cases.
    • Queries will take longer during sensor busy periods such as a new installation, or the sensor just starting up.
    • A one-time query will run for up to 7 days or until complete.
    • A scheduled query will run until the next scheduled query or until complete.
    • A query will be complete when the number of responses is equal to the amount of sensors that had checked in within 7 days of the query starting.

 


Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎09-11-2018
Views:
701
Contributors