Enterprise EDR: Search Negation with Parent_Name Fails to Work as Expected
Article ID: 288563
Updated On:
Products
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Queries that exclude process (such as: parent_name) in searches can sometimes produce unexpected results which do indeed have the excluded value associated to the process.
Environment
- Carbon Black Cloud Web Console: All Versions
- Enterprise EDR
- Carbon Black Cloud Sensor: 3.5.0.1627 and below
- Microsoft Windows: All Supported Versions
Cause
- There are small number of processes which do not report a parent_name to the backend.
- Therefore when negating a parent_name in the search, those segments with no parent_name associated would return as a match even if other segments had the parent_name being negated.
Resolution
Include:
to the query, which will ensure those segments which have no parent_name associated are not included in the result set.
parent_name:*
to the query, which will ensure those segments which have no parent_name associated are not included in the result set.
Additional Information
Example query that will return false positive:
It is possible for that query to produce a process result that does indeed have the parent of <parent_name>.
Updated query to make sure there are no the false positives:
process_name:<process_name> -(parent_name:<parent_name>)
It is possible for that query to produce a process result that does indeed have the parent of <parent_name>.
Updated query to make sure there are no the false positives:
process_name:<process_name> -(parent_name:<parent_name>) parent_name:*
Feedback
Yes
No
Powered by
