Enterprise EDR: Negation of parent_cmdline returns incorrect results
book
Article ID: 290590
calendar_today
Updated On:
Products
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Searches that negate a parent_cmdline are returning incorrect results by not filtering processes that match the criteria.
Environment
- Carbon Black Cloud Console: All Supported Versions
- Enterprise EDR (Formerly CB ThreatHunter)
Cause
The parent process' cmdline is captured when a childproc is noticed by the sensor, but the Parent Process may have already exited.
Resolution
Adding parent_cmdline:* to your query will perform an existence check for process documents that contain parent_cmdline values.
Additional Information
parent_cmdline:* could cause False Negatives
Feedback
thumb_up
Yes
thumb_down
No