CB Response: Watchlists Firing on Incorrect Binary Metadata
search cancel

CB Response: Watchlists Firing on Incorrect Binary Metadata

book

Article ID: 288779

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Watchlists using Binary Metadata will trigger with false positives 

Environment

  • CB Response: All Supported Versions

Cause

Binary and Process data are not uploaded at the same time. Watchlist using Binary data "not equal to" will trigger on process documents still importing binary data. 

Resolution

Update the watchlist to add the file_desc field equal to *

Example: 
process_name:magnify.exe file_desc:* -file_desc:"Microsoft screen magnifier"
Powered by Wolken Software