Queries that exclude process (such as: parent_name) in searches can sometimes produce unexpected results which do indeed have the excluded value associated to the process.

• Carbon Black Cloud Console: All Versions
• Carbon Black Cloud Sensor: All Supported Versions 
  • Microsoft Windows: All Supported Versions

• There are small number of processes which do not report a parent_name to the backend.
• Therefore when negating a parent_name in the search, those segments with no parent_name associated would return as a match even if other segments had the parent_name being negated. 

Include: parent_name:* to the query, which will ensure those segments which have no parent_name associated are not included in the result set. 

• Example query that will return false positive:

  process_name:<process_name> -(parent_name:<parent_name>)

• It is possible for that query to produce a process result that does indeed have the parent of <parent_name>.
• Updated query to make sure there are no the false positives:

  process_name:<process_name> -(parent_name:<parent_name>) parent_name:*