EDR: Process Analysis Page has no Events when Selecting a Process in Process Search in 7.5.0
Article ID: 285736
Updated On:
Products
Carbon Black Hosted EDR (formerly Cb Response Cloud)
Issue/Introduction
When selecting a process in the process search page that has a red dot for a hit, no events are displayed in the process analysis page
Environment
- EDR Server: 7.5.0
Cause
Processes with hits are the watchlist segment, with 7.5.0 clicking a process brings you directly to the selected segment. Watchlist segments are copies of general process data and do not include events.
Resolution
Resolution:
- Upgrade to 7.5.1 once available
- When selecting a process in the process search page, do not select the process that has a red dot on the hit section. (last column)
- Try searching the process_name: AND process_pid: to narrow down the segments of that specific process
Additional Information
- CB-36223
- 7.5.0 introduces direct segment information in the process analysis page. Earlier versions would give a blanket of segments which would allow it to return results when a watchlist hit was selected. Watchlists hits create a new segment in the process document that copies the the info of the process only, not the events. In 7.5.0, when selecting the watchlist hit it takes you to the segment correctly but that segment does not have events due to the nature of the watchlist segment.
Feedback
Yes
No
Powered by
