CB Response: Why do the Numbers Differ on Triage Alerts Page from Process or Binary Search Pages?
search cancel

CB Response: Why do the Numbers Differ on Triage Alerts Page from Process or Binary Search Pages?

book

Article ID: 287379

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Why do the Numbers Differ on Triage Alerts Page from Process or Binary Search Pages?

Environment

  • CB Response Server: All Supported Versions

Resolution

  • Ensure that 'group-by process' is selected, this gives us a closer count.
    • With 'group-by process' unchecked the process search will list all segments that match the query which could be 'many per-process', resulting in a larger than expected amount of processes.
  • Despite 'group-by process' being checked count discrepancies may be observed due to feeds changing over periods of time.  In that: they may have initially produced a hit but the feed might have changed so that the previous hit would no longer result in a hit.  The same can be said for the inverse.
Powered by Wolken Software