search effectiveness triage - handling the pound ('#') sign
Article ID: 253344
Updated On:
Products
Endpoint Detection and Response
Issue/Introduction
Search query: process.file.name:rundll32.exe AND process.cmd_line:"#1"
Search results: Finds filenames which includes not only "#1" but also just plain "1"
Environment
Release : 4.6.8
Resolution
Broadcom Engineering confirmed that the # symbol is a reserved keyword for search queries on the EDR Search page. The "#" symbol is interpreted as "no string" or "null string" within the query.
Feedback
Yes
No
Powered by
