CBC: Searching for events using the netconn_failed field does not work.
Article ID: 288231
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Any query returns the same number of events whether or not the field "netconns_failed:" field is included in the query.
Environment
- CBC Console: All versions
- CBC Sensors: All versions
Cause
The feature flag "Enterprise EDR" is not enabled.
Resolution
"netconn_failed" field requires the EEDR feature.
Feedback
Yes
No
Powered by
