CB Response: Why do Procend or Procstarts still send from cb-event-forwarder when disabled?
search cancel

CB Response: Why do Procend or Procstarts still send from cb-event-forwarder when disabled?

book

Article ID: 287896

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Why do Procend or Procstarts still send from cb-event-forwarder when disabled?

Environment

  • Carbon Black Response Server: All Versions
  • Carbon Black Event Forwarder: All Versions

Cause

procend (and procstart) event types are synthetic in nature i.e., they are artificially created at event-forwarder based on information from event_type: process. The process event contains a bit which identifies whether the process was "created" and if it was, type is overridden to procstart; otherwise procend. However, while composing the outbound event to SIEM, it checks for subscription based on "process" and not "procend"

Resolution

When Procend or Procstart is disabled in the cb-event-forwarder the disabled both events will still send. These event use the alias "process" at the ingress of the events. Currently working as design.

 

Additional Information

Please contact the support for hot fix build.

Jira: CRE-21463

Powered by Wolken Software