Device_username field does not have the current user
book
Article ID: 285011
calendar_today
Updated On:
Products
Carbon Black Cloud Enterprise EDRCarbon Black Cloud Endpoint Standard
Issue/Introduction
Data Forwarder is sending the wrong username
Environment
Carbon Black Cloud Console
Carbon Black Cloud Splunk Plug-in
Carbon Black Cloud QRadar Plug-in
Carbon Black Cloud 3rd Party API Users
Cause
Alerts show user who installed the product rather than logged-in user.
Resolution
Run By has been replaced by Process username
API queried results will be updated as CBC Plug-ins for QRadar, Splunk and other 3rd party tools are updated to utilize the API V7 calls.
Additional Information
The v7 alert API includes a process_username field which is the user that ran the process of the alert, rather than the user that installed the device.
The API's are available now and when the Plugins get updated this change should appear.
More information can be found in the related content here and here.