Carbon Black Cloud: Watchlist criteria for process_original_filename resulting in inaccurate hits
book
Article ID: 285315
calendar_today
Updated On:
Products
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Watchlist criteria for process_original_filename receiving inaccurate hits
Example:
IOC criteria contains process_original_filename:"x64.exe"
Watchlist hits occurring for process_original_filename: "*-x64.exe"
Environment
Carbon Black Cloud Console: All Versions
Enterprise EDR
Cause
process_original_filename criteria is using standard tokenizer which splits the criteria on hyphens ( - )
Resolution
Engineering fixing issue via DSER-32981 by having process_original_filename use the filename tokenizer which does not split the criteria on hyphens ( - )