Carbon Black Cloud: Are Data Forwarder filter queries case sensitive?
book
Article ID: 289067
calendar_today
Updated On:
Products
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Are Data Forwarder filter queries case sensitive?
Environment
Carbon Black Cloud Console: All Versions
Data Forwarder: endpoint.event
Resolution
Yes, there are situation where the explicit filtering is case sensitive because the Carbon Black Cloud Backend does a direct string/rune match (ie: process_path == "some value"), and with single/multi character wildcards, (ie "X" != "x"). However, for the following query types the Carbon Black Cloud Backend changes everything to lowercase before comparing against events (thus making the following types of queries not case-sensitive):
CIDR (in the case of ipv6)
Field
Quoted Field
Wildcard
Fuzzy
Additional Information
For example: If the sensor reported process_path:"c:\windows\explorer.exe" and the WebUI set an exclusion filter of process_path:"C:\Windows\Explorer.exe", the reported event would not be filtered out and therefore will be forwarded. Specifically, in this use case of C:\Windows\Explorer.exe, (c:\windows\explorer.exe != C:\Windows\Explorer.exe) because the data forwarder is designed like: so:: c != C (c:\ vs C:\) and w != W (windows vs Windows) and E != e (Explorer vs explorer). So to be able to exclude both of the following examples, the EXCLUDE filter would have to read: parent_cmdline:"C:\windows\Explorer.EXE" OR parent_cmdline:"C:\WINDOWS\Explorer.EXE".