Carbon Black Cloud: Unable to find Devices with special characters on Endpoints page
search cancel

Carbon Black Cloud: Unable to find Devices with special characters on Endpoints page

book

Article ID: 292148

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

  • Searching for name of device returns unexpected or additional results
  • Results match on any/all fields, including some not visible in Console UI
  • More difficult when device prefixes/suffixes are used (prefix-Name-suffix) 
    Search: Win-10-Laptop-01
Results include matches for all parts individually across all fields
  • Special characters act as breaks or delimiters rather than parts of a text string, thereby creating sub-strings 
    Special Characters on Endpoints page
- ~ ( ) [ ] { } ^ | & " :

Environment

  • Carbon Black Cloud Console: All Versions
    • Audit & Remediation (was CB LiveOps)
    • Endpoint Standard (was CB Defense)
    • Enterprise EDR (was CB ThreatHunter)
    • Managed Detection (was CB ThreatSight)

Cause

This issue is due to limitations within the Console UI

Resolution

To ensure more precise search results, please follow these guidelines
  • Searching for device hostname without special characters returns all records that contain that string
  • Searching for device hostname with special characters returns all records that match on each sub-string 
    Example search: Win-10-Laptop-0123
Results will include Win OR 10 OR Laptop OR 0123 present in any field
  • Use two backslashes \\ to escape special characters 
    Example search: Win\\-10\\-Laptop\\-0123
Results will include Win OR 10 OR Laptop OR 0123 present in any field
  • Use specific search terms to improve results 
    Example search: name:Win-10-Laptop-0123
Results will be narrowed to Win OR 10 OR Laptop OR 0123 only in the Device Name
  • Use name: search term to search for some or all sub-strings of device hostname 
    Example search: name:Win name:10 name:Laptop name:0123
Results will be narrowed to Win AND 10 AND Laptop AND 0123 only in the Device Name
  • Use negation ("-" or "AND NOT") to exclude criteria where additional results are returned 
    Example search: name:Win name:10 -name:Desktop -name:012345 -name:.domain.org
Results will be narrowed to Device Names including Win AND 10 and excluding Desktop AND 012345
  • Use search terms outside of name: to further narrow results 
    Example search: name:Win name:10 name:Laptop loginUserName:"Carl Weathers"
Results will be narrowed to Device Names including Win AND 10 AND Laptop and where the User field shows Carl Weathers

Additional Information

  • This limitation is under review for improved documentation and search behavior for potential inclusion in a future version of the Console
  • Useful search terms for the Endpoints page 
    deviceId: (can be found in C:\Program Files\Confer\cfg.ini directly on an endpoint)
email: (formerly known as Installed by, not always the best way to find a device)
lastExternalIpAddress: (use if External IP is known)
lastInternalIpAddress: (use if Internal IP is known)
loginUserName: (information in the User column, Last Active User for Windows 3.5.x.x+/macOS 3.0.x.x+/Linux 2.8.x.x+)
macAddress: (currently only populated for macOS devices)
name: (matches all values in Device Name column)
sensorVersion: (Can be used to filter by specific Sensor builds)
Powered by Wolken Software