Enterprise EDR: Negation of parent_cmdline returns incorrect results
search cancel

Enterprise EDR: Negation of parent_cmdline returns incorrect results

book

Article ID: 290590

calendar_today

Updated On:

Products

Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Searches that negate a parent_cmdline are returning incorrect results by not filtering processes that match the criteria.

Environment

  • Carbon Black Cloud Console: All Supported Versions
    • Enterprise EDR (Formerly CB ThreatHunter)

Cause

The parent process' cmdline is captured when a childproc is noticed by the sensor, but the Parent Process may have already exited.

Resolution

Adding parent_cmdline:* to your query will perform an existence check for process documents that contain parent_cmdline values.

Additional Information

parent_cmdline:* could cause False Negatives