Enterprise EDR: False positive alerts from watchlist "Defense Evasion - Office Applications Spawning Rundll32"
book
Article ID: 290352
calendar_today
Updated On:
Products
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
- Alerts for events which specifically contain a value that should be negated in the query
- Alert timestamp and timestamp for the negated process are very close
Environment
- Carbon Black Cloud Console: All Versions
- Enterprise EDR: All Versions
Cause
The watchlist is being run before the event is uploaded to the back-end. So when the watchlist ran the event did match the query.
Resolution
- Work is being done to expand the timeline of events between each watchlist run to avoid false positives.
- The work is tracked with the ID LC-1071
Feedback
thumb_up
Yes
thumb_down
No