Search results returning results with negated field value
Article ID: 292171
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
Search results return events containing field values of ignored fields
Environment
- EDR (formerly CB Response) Server: All Versions
- EDR Sensor: All Versions
Cause
Search is hitting on segments of the event which contain an empty value of the specified field
Resolution
Include a wildcard search on the field to ensure only fields that have any value are returned
- Ex. (cmdline:* AND -cmdline:argvalue)
Additional Information
Negation False Positives can happen on multiple different values not just cmdline used in the example
Feedback
Yes
No
Powered by
