Enterprise EDR: Searches on event_description for TCP or UDP connections give odd results

search cancel

Enterprise EDR: Searches on event_description for TCP or UDP connections give odd results

book

Article ID: 289726

calendar_today

Updated On:

Products

Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Searching for network connections using event_description and keywords for inbound (accepted a... connection) or outbound (established a... connection) return no results

Examples
event_description:"accepted a TCP/80 connection from"
event_description:"accepted a UDP/5222 connection from"
event_description:"established a TCP/443 connection to"
event_description:"established a UDP/443 connection to"

Environment

Carbon Black Cloud Console: All Versions
- Enterprise EDR (was CB ThreatHunter)

Cause

Tokenization of event_description information includes HTML tags

Resolution

Potential fix being tacked under DSER-24749, watch this article for updates

Additional Information

One way to work around this scenario is to break up the search into smaller chunks using AND operators to still look for all of the phrase being searched for

event_description:("accepted a" AND  "TCPP/80" AND "connection from")
event_description:("accepted a" AND  "UDP/5222" AND "connection from")
event_description:("established a" AND  "TCP/443" AND "connection to")
event_description:("established a" AND  "UDP/443" AND "connection to")

Feedback

thumb_up Yes

thumb_down No