Device_username field does not have the current user
search cancel

Device_username field does not have the current user

book

Article ID: 285011

calendar_today

Updated On:

Products

Carbon Black Cloud Enterprise EDR Carbon Black Cloud Endpoint Standard

Issue/Introduction

Data Forwarder is sending the wrong username

Environment

  • Carbon Black Cloud Console
  • Carbon Black Cloud Splunk Plug-in
  • Carbon Black Cloud QRadar Plug-in
  • Carbon Black Cloud 3rd Party API Users

Cause

Alerts show user who installed the product rather than logged-in user.

Resolution

  • Run By has been replaced by Process username
  • API queried results will be updated as CBC Plug-ins for QRadar, Splunk and other 3rd party tools are updated to utilize the API V7 calls. 
     

Additional Information

  • The v7 alert API includes a process_username field which is the user that ran the process of the alert, rather than the user that installed the device.
  • The API's are available now and when the Plugins get updated this change should appear.
  • More information can be found in the related content here and here.