Cb Response: Searches with event counts returning incorrect results
Article ID: 289603
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- Search results include or exclude processes with event counts that meet the query
- ex. Searching for childproc_name:foo.exe AND childproc_count:2 returns a process with a child foo.exe process with exactly two children
Environment
- Cb Response Server: 6.x
Cause
- This is a known issue with count searches, CB-23864. Searches do not span across segments. In the above example, a process segment would need to have a childproc_count of 2 and the foo.exe childproc listed.
Resolution
- These is no fix or workaround for the search query at this time. The Process Analysis for a process will show correct counts
Feedback
Yes
No
Powered by
