CB Response: How to write a process search query to include multiple negative arguments
Article ID: 288246
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
How to write a query to include multiple negative arguments.
Environment
- CB Response Console: 6.0.1 and Higher
Resolution
There are two methods:
- q=filemod:c:\windows\System32* AND -(path:c:\windows\* AND process_name:tentacle.exe AND process_name:cacheclearconsole.exe AND process_name:flufferconsole.exe AND process_name:monitoringhost.exe AND username:SYSTEM AND process_name:configsecuritypolicy.exe AND username:SYSTEM AND process_name:healthservice.exe)
- q=filemod:c:\windows\System32* AND (-path:c:\windows\* AND -process_name:tentacle.exe AND -process_name:cacheclearconsole.exe AND -process_name:flufferconsole.exe AND -process_name:monitoringhost.exe AND -username:SYSTEM AND -process_name:configsecuritypolicy.exe AND -username:SYSTEM AND -process_name:healthservice.exe)
Feedback
Yes
No
Powered by
