CB Defense: How To Start Building a Complex Search
search cancel

CB Defense: How To Start Building a Complex Search

book

Article ID: 289569

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

Show how to start building a complex search using AND and OR operators and parentheses to return accurate results

Environment

  • CB Defense PSC Console: All Versions

Resolution

  1. Go to the Investigate page
  2. Click on 'Enable advanced search'
  3. Enter the following, replacing items with actual values 
    (TermA_1 OR TermA_2 OR TermA_3) AND (TermB_1 OR TermB_2 OR TermB_3)

Additional Information

  • This can be done for multiple combinations of information types
  • Users accessing files 
    (User1 OR User2 OR User3) AND (Doc1 OR Doc2 OR Doc3)
(User1 OR User2 OR User3) AND (Hash1 OR Hash2 OR Hash3)
  • Files on a machine 
    (Doc1 OR Doc2 OR Doc3) AND (Machine1 OR Machine2 OR Machine3)
(Hash1 OR Hash2 OR Hash3) AND (Machine1 OR Machine2 OR Machine3)
  • Files being blocked 
    (Doc1 OR Doc2 OR Doc3) AND (TTP:POLICY_DENY OR TTP:POLICY_TERMINATE)
(Hash1 OR Hash2 OR Hash3) AND (TTP:POLICY_DENY OR TTP:POLICY_TERMINATE)
Powered by Wolken Software