Enterprise EDR: Inconsistent search results for excluded fields

search cancel

Enterprise EDR: Inconsistent search results for excluded fields

book

Article ID: 292086

calendar_today

Updated On:

Products

Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Search results for queries the exclude a field value are still returned

Environment

Carbon Black Cloud Console: All Supported Versions
Enterprise EDR Sensor: All Supported Versions

Cause

Events contain empty field values in some segments. The empty field will not match with the negated query and will be returned.

Resolution

Include a wildcard search on the field to ensure only fields that have any value are returned

Ex. process_name:powershell.exe AND ((process_internal_name:* NOT process_internal_name:powershell*) OR (process_product_name:* NOT process_product_name:powershell*))

Feedback

thumb_up Yes

thumb_down No