EDR: Process Analysis shows fewer events than listed in Process Search results
search cancel

EDR: Process Analysis shows fewer events than listed in Process Search results

book

Article ID: 290018

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • The number of events shown on the Process Analysis page does not match the number of events associated with the process in search results.
  • Events associated with an alert do not appear in the Process Analysis page

Environment

  • EDR Server: 6.x and Higher

Cause

  • Minor discrepancies are caused by the Fuzzy Facets feature which returns an estimated guess of each event count
  • Numbers off by hundreds or thousands of events are caused by a limit on the number of events per page returned in Process Analysis

Resolution

  1. To view all events of a process, the timeline on the Process Analysis page must be fully expanded
  2. Each page contains a predetermined set of 500 events, to view other events in the process, click through each page

Additional Information

Feature Request has been created to allow the ability for searching all pages of events in the Process Analysis page:
https://community.carbonblack.com/t5/Idea-Central/Search-all-pages-of-an-Event-in-the-Process-Analysis-Page/idc-p/31748
Powered by Wolken Software