CB Response: Occasional false positives for events with binary and process data in search query

CB Response: Occasional false positives for events with binary and process data in search query

search cancel

CB Response: Occasional false positives for events with binary and process data in search query

book

Article ID: 290209

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

A false positive alert for a process is generated
Manually running the search for the alert does not return the process

Environment

CB Response Server: 6.1 and Higher
Linux: All Supported Versions

Cause

This is a known issue that can occur when a join is made between process and binary documents - CB-21633

Resolution

A fix for this issue will be available in a future release
A temporary workaround would be to add a wildcard search for any binary fields in the query.
- Example: If dig_sig_publisher is the field to be matched on, add dig_sig_publisher:* before the actual search

Feedback

thumb_up Yes

thumb_down No