Carbon Black Cloud: Inconsistent results between Alert and Investigate tab when using watchlist_name
search cancel

Carbon Black Cloud: Inconsistent results between Alert and Investigate tab when using watchlist_name

book

Article ID: 287737

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

  • Investigate tab shows results for a search with watchlist_name
  • Alerts tab shows 0 results for the same search

Environment

  • Carbon Black Cloud: All Versions

Cause

Trailing space in watchlist_name search parameter not being handled consistently (DSER-32937)

Resolution

  1. Review your search string for any trailing spaces and remove them
  2. If the issue is not resolved with this change, please log a new support ticket with search examples that show the issue.

Additional Information

  • Example watchlist name is actually "test"
  • watchlist_name:"test" is the correct search to use
  • watchlist_name:"test " will return hits for "test" watchlist in Investigate tab
  • watchlist_name"test "  will NOT return results for "test" watchlist in Alerts tab.
Powered by Wolken Software