EDR: Can a childproc cmd be searched against the parent?
Article ID: 287975
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
Can a childproc cmdline be searched against the parent?
Environment
- EDR Console: All Versions
Resolution
No, a childproc command line cannot be searched against the parent
Let's say we have a Tree. Process_1 (Parent) > Process_2 (Process) > Process_3 (Child)
| Searchable? | |||
| Yes | parent_name:process_1 | process_name:process_2 | -cmdline(process_2) |
| Yes | parent_name:process_1 | -cmdline(process_2) | |
| No ** | parent_name:process_1 | process_name:process_2 | -cmdline(process_3) |
Additional Information
** The childproc cmdline would be searchable if the child was suppressed
- Documents are stored in Solr with linking unique ids. The documents however do not include the child command line unless it is suppressed. This is because the childproc has it's own process document and childprocs as well.
Feedback
Yes
No
Powered by
