EDR: Inconsistent Results When Using Netconn_Count Search Field on Process Search Page
Article ID: 290180
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
Processes which are terminated:true are not consistently returned when netconn_count is used in process search.
Environment
- EDR Server: All Versions
- Hosted EDR Server: All Versions
Cause
This is due to a product issue.
Resolution
The product issue is being investigated in CB-32829. Once a target release date or version is provided, this article will be updated.
Additional Information
Example:
1. The following search returns 29 hits, all of which have a terminated:true in process document:
netconn_count:[1 TO *] ipaddr:127.0.0.1 process_name:local
2. However this search returns 12 results:
netconn_count:[1 to 100] ipaddr:127.0.0.1 process_name:local
1. The following search returns 29 hits, all of which have a terminated:true in process document:
netconn_count:[1 TO *] ipaddr:127.0.0.1 process_name:local
2. However this search returns 12 results:
netconn_count:[1 to 100] ipaddr:127.0.0.1 process_name:local
Feedback
Yes
No
Powered by
