Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: How to Pull Watchlist Alerts From Solr

EDR: How to Pull Watchlist Alerts From Solr

Environment

  • EDR Server: All Supported Versions

Symptoms

Pull related alerts for a watchlist

Resolution

  1. Open an SSH session to the EDR Master server
  2. Get the affected watchlist's ID. Substitute watchlist_name with the name of the watchlist in the UI
    • psql cb -p 5002 -c "select id from watchlist_entries where name='watchlist_name'"
  3. Pull the alerts for the watchlist. Substitute id with the ID from step 2
    • curl 'http://127.0.0.1:8080/solr/cbalerts/select?q=watchlist_id%3Aid&wt=json&indent=true'

Additional Notes

  • Query will return the first 10 results. To return more results, add '&rows=<number_of_rows>' after '&indent=true'
    • curl 'http://127.0.0.1:8080/solr/cbalerts/select?q=watchlist_id%3Aid&wt=json&indent=true&rows=20'
  • Additional settings like creation time can be added to the query in URL encoding format. This will pull all alerts starting at 07/01/2019
curl 'http://127.0.0.1:8080/solr/cbalerts/select?q=watchlist_id%3Aid+AND+created_time%3A\[2019-07-01T00%3A00%3A00.000Z+TO+*\]&wt=json&indent=true'

 

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
536
Contributors