Carbon Black Cloud: Watchlist criteria for process_original_filename resulting in inaccurate hits
search cancel

Carbon Black Cloud: Watchlist criteria for process_original_filename resulting in inaccurate hits

book

Article ID: 285315

calendar_today

Updated On:

Products

Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

  • Watchlist criteria for process_original_filename receiving inaccurate hits
    • Example:
      • IOC criteria contains process_original_filename:"x64.exe"
      • Watchlist hits occurring for process_original_filename: "*-x64.exe"

Environment

  • Carbon Black Cloud Console: All Versions
  • Enterprise EDR

Cause

process_original_filename criteria is using standard tokenizer which splits the criteria on hyphens ( - )

Resolution

Engineering fixing issue via DSER-32981 by having process_original_filename use the filename tokenizer which does not split the criteria on hyphens ( - )