EDR: False Positives when negating binary field values
search cancel

EDR: False Positives when negating binary field values

book

Article ID: 291616

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

False positives seen when negating the binary tags such as file_desc or signed in feeds, watchlists, and process searches

Environment

  • EDR (formerly CB Response) Console: 6.1.x and Higher

Cause

This is caused by a small delay in the query between the response of binary and event data. This issue is currently tracked with ID CB-21633.

Resolution

Edit the query by adding a widcard search for the specific binary field before the negation search
Ex. 
file_desc:* AND -file_desc:
Powered by Wolken Software