EDR: Parent is (unknown) or Broken with a PID of -1
search cancel

EDR: Parent is (unknown) or Broken with a PID of -1

book

Article ID: 287887

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response) Carbon Black Hosted EDR (formerly Cb Response Cloud)

Issue/Introduction

Alerts are being generated due to incorrectly parsed / missing parent (unknown) with a PID of -1 and a unique ID ending in -ffff-ffff-0000-000000000000

Environment

  • EDR: All Supported Versions
  • Windows Sensor: All Supported Versions

Cause

This is often caused by parent processes that are started before the sensor starts. This can be from boot or the sensor being installed after a parent is already running. 

Resolution

Please make sure the endpoint is on the latest sensor version, advancements are made to have the sensor load up as early as possible to gather processes running early. Keeping in mind, the OS has processes that will run before anything else is allowed to startup, including the sensor. Those will appear as unknown. 

For the Alerts:
  • ]Update the watchlist with parent_name:*. This will not cause performance issues but will tell Solr to only return documents with a parent_name filled out. 
  • If the alert is coming from a feed report, the same concept applies. Copy the query from the feed report and disable/ignore that report. Create a new watchlist and add the parent_name:* to the query. 
Powered by Wolken Software