CBC Data Forwarder: The custom query filter's "process_username" field does not seem to be filtering.
Article ID: 288181
Updated On:
Products
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
For example, this custom query for the user "system" does not filter:
process_username:system
Environment
- Carbon Black Cloud Backend: 1.20 (as of December, 2023)
- Carbon Black Cloud Sensor: All versions
Cause
There are a few syntax differences between the Data Forwarder custom query tool and the Investigate/Watchlist pages.
One of those is that the process_username is NOT tokenized in the Data Forwarder custom query.
So for this case, "system" will not be a match for, say, "NT AUTHORITY\SYSTEM"
One of those is that the process_username is NOT tokenized in the Data Forwarder custom query.
So for this case, "system" will not be a match for, say, "NT AUTHORITY\SYSTEM"
Resolution
For the Data Forwarder, use wildcards to match the entire string as so:
process_username:*\\system
Feedback
Yes
No
Powered by
