EDR: Fileless_Scriptload_Cmdline Searches not Working as Expected
Article ID: 288273
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
Example:
The following query does not return any results
fileless_scriptload_cmdline:Net.WebClient
To get the results the following will work
fileless_scriptload_cmdline:*Net.WebClient*
NOTE:
For the successful query to work disable the feature "Block Searches with Leading Wildcards" in settings->Advanced Settings
The following query does not return any results
fileless_scriptload_cmdline:Net.WebClient
To get the results the following will work
fileless_scriptload_cmdline:*Net.WebClient*
NOTE:
For the successful query to work disable the feature "Block Searches with Leading Wildcards" in settings->Advanced Settings
Environment
- EDR Server: 7.6.1
Cause
fileless_scriptload_cmdline field is not Tokenized
Resolution
This issue is resolved with EDR Server build 7.7.0
Additional Information
Feedback
Yes
No
Powered by
