Carbon Black Console: Why are there inaccurate results when using negation on process_publisher_state queries?
Article ID: 287847
Updated On:
Products
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Why are queries returning processes that have a trusted signature or a verified signature, when querying negation on process_publisher_state:FILE_SIGNATURE_STATE_TRUSTED
Environment
- Carbon Black Cloud Web Console: All Versions
- Enterprise EDR
- Carbon Black Cloud Microsoft Windows Sensor: All Supported Versions
Resolution
- Querying the negation of a process_publisher_state value, will return all states which does not equal that particular state.
- At this time, there are 10 different values for the state, so negating only one value means that the results will be for events in the other 9 states
Additional Information
- The 10 process_publisher_state states are listed below:
- FILE_SIGNATURE_STATE_INVALID
- FILE_SIGNATURE_STATE_SIGNED
- FILE_SIGNATURE_STATE_VERIFIED
- FILE_SIGNATURE_STATE_NOT_SIGNED
- FILE_SIGNATURE_STATE_UNKNOWN
- FILE_SIGNATURE_STATE_CHAINED
- FILE_SIGNATURE_STATE_TRUSTED
- FILE_SIGNATURE_STATE_OS
- FILE_SIGNATURE_STATE_CATALOG_SIGNED
- UNRECOGNIZED
- Example:
-
process_name:schtasks.exe AND -process_publisher_state:FILE_SIGNATURE_STATE_SIGNED
- Returns all schtasks.exe events with process_publisher_state of:
- FILE_SIGNATURE_STATE_INVALID
- FILE_SIGNATURE_STATE_VERIFIED
- FILE_SIGNATURE_STATE_NOT_SIGNED
- FILE_SIGNATURE_STATE_UNKNOWN
- FILE_SIGNATURE_STATE_CHAINED
- FILE_SIGNATURE_STATE_TRUSTED
- FILE_SIGNATURE_STATE_OS
- FILE_SIGNATURE_STATE_CATALOG_SIGNED
- UNRECOGNIZED
- Search can either be to search for process_publisher_state:FILE_SIGNATURE_STATE_NOT_SIGNED or negate every state that is not desired in results.
-
Feedback
Yes
No
Powered by
