EDR Lastline Connector: When using binary_filter_query for multiple options the results only return the first parameter
search cancel

EDR Lastline Connector: When using binary_filter_query for multiple options the results only return the first parameter

book

Article ID: 287381

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

When attempting to use multiple terms in the binary_filter_query field of the /etc/cb/integrations/lastline/connector.conf file, only the first term is taken into consideration.  As an example: 
binary_filter_query=md5:098f6bcd4621d373cade4e832627b4f6 or md5:b45cffe084dd3d20d928bee85e7b0f21 or md5:d55669822f1a8cf72ec1911e462a54eb or md5:317cea28a02172901a8da2711511b0eb




 

Environment

  • EDR Lastline Connector: All Supported Versions

Cause

The binary_filter_query as done above will form multiple clauses and this breaks up the query once the first item is satisfied.

Resolution

  • The usage above is not the intended usage of the binary_filter_query parameter but this can be worked around by using the query below:
binary_filter_query=(md5:098f6bcd4621d373cade4e832627b4f6 or md5:b45cffe084dd3d20d928bee85e7b0f21 or md5:d55669822f1a8cf72ec1911e462a54eb or md5:317cea28a02172901a8da2711511b0eb)

 
Powered by Wolken Software