EDR: Negation of Some Binary Term Searches May Provide Inaccurate Results in EDR 7.7.x

search cancel

EDR: Negation of Some Binary Term Searches May Provide Inaccurate Results in EDR 7.7.x

book

Article ID: 287646

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response) Carbon Black Hosted EDR (formerly Cb Response Cloud)

Issue/Introduction

Searches using some binary terms (digsig_publisher or file_desc) combined with negation of a term group containing spaces may return inaccurate results. Other binary search terms, such as md5, work as expected.
Examples:

digsig_publisher:M* and –group:”Default Group”
or
file_desc:M* and -(group:"Research Network")

Environment

EDR Servers: 7.7.2 to 7.8.0

Cause

Still under investigation.

Resolution

The fix is expected in EDR Server 7.8.1.
Potential workaround: Confirm results by determining the total (without negation) then subtract the search results using positive terms.

For example using the same timeframe:
Search 1: digsig_publisher:M* 
Search 2: digsig_publisher:M* and (group:”Group1” or group:”Group2”)
Removing the results in search 2 from search 1 provides the correct results.

Additional Information

CB-41672

Feedback

thumb_up Yes

thumb_down No