EEDR: Why do Queries and Watchlists Using Child Negation Still Show Hits With Parents Containing the Negated Child Processes?
book
Article ID: 288150
calendar_today
Updated On:
Products
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Why do queries and watchlists using child negation still showing hits with parents and with the negated child processes?
Environment
Enterprise EDR Console
Resolution
The watchlist only searches within a one-hour time window for the child process search condition to be met.
This can result in what looks to be inaccurate hits when long-lived processes are searched on.
The one-hour window and these search results also applies to long-lived processes and searching with multiple conditions.
Additional Information
For example, the following query might be interpreted to mean "find any process named spoolsv.exe which does NOT have a child process named "splwow64.exe":
(process_name:spoolsv.exe childproc_count:[1 TO *] -childproc_name:splwow64.exe)
In this example, a hit may be reported for a spoolsv.exe with a child process splwow64.exe child process that occurred days ago. In actuality, its correctly considered a hit since there was no splwow64.exe child process within the one-hour window.
Process search windows are typically longer and vary in length