CBC: Question on number of devices in the message: " {hash} has been seen on 1185 devices in your organization over the last six months"
search cancel

CBC: Question on number of devices in the message: " {hash} has been seen on 1185 devices in your organization over the last six months"

book

Article ID: 290885

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Why is there a difference in total number of devices when adding a hash to the Company Banned hash list, an informational modal window appears stating:

{hash} 'has been seen on X devices in your organization over the last six months'.

where X = number of devices detected. However, performing a search for the same hash in the Investigate page (even with 'all available' timeline), only a small fraction of X devices may be returned.

Environment

  • CBC Console: All versions
  • CBC Sensors: All versions

Resolution

The X number of devices in the modal information window reflects all the devices where the hash was detected in the last six months, as stated. On the other hand, CBC only retains events for the last 30 days, so only those sensors are reported with a query on the hash in question.
Powered by Wolken Software