CB ThreatHunter: What is Value Search?
search cancel

CB ThreatHunter: What is Value Search?

book

Article ID: 287071

calendar_today

Updated On:

Products

Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

What is Value Search?

Environment

  • CB ThreatHunter Web Console: All Versions

Resolution

  • Value Search is an expansion of the existing search functionality found on the Investigate and Process Analysis search bars that allows users to search without having to specify the field name
    • For example, searching for "chrome.exe" previously returned an error, but now searches across all fields where a filename is relevant
    • Fields include all fields with "process", "proc", "reputation", and "hash" in their name, netconn_ipv4, netconn_ipv6, sensor_action and crossproc_action

Additional Information

  • Value Search also supports boolean operators "AND", "OR", and "NOT" as well as wildcards
  • Any queries that include Value Search terms cannot be saved as a Threat Report 
  • Queries that include terms missing field names will return the following error if there is an attempt to save the query as a Threat Report
    Search Fields are required to add queries to a watchlist report.
  • Wildcard Value Searches have the following restrictions:
    • Wildcard characters cannot appear in the first 2 characters of a Value Search
    • Hashes and guids do not support wildcards
    • Identifiers used in fields such as "ttp", "process_publisher_state" and "reputation" do not support wildcards