EDR: Event Forwarder does not present a correctly formatted parent_guid for a childproc raw event
search cancel

EDR: Event Forwarder does not present a correctly formatted parent_guid for a childproc raw event

book

Article ID: 292250

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • When using the event-forwarder to forward ingress.event.childproc events, the parent_guid contains an integer value instead of a properly formatted guid.
  • An example event looks like the following (take note of the parent_guid):
{"cb_server":"cbserver","child_pid":2540,"child_process_guid":"00000007-0000-09ec-01d6-4f1ed91403be","child_suppressed":false,"childproc_type":"Exec","computer_name":"DESKTOP-L90T7NG","created":false,"event_type":"childproc","md5":"CDA48FC75952AD12D99E526D0B6BF70A","parent_guid":794632362420220252,"path":"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe","pid":4852,"process_guid":"00000007-0000-12f4-01d6-4f1ed30a7c4a","sensor_id":7,"sha256":"908B64B1971A979C7E3E8CE4621945CBA84854CB98D76367B791A6E22B5F6D53","tamper":false,"tamper_sent":false,"timestamp":1593549702,"type":"ingress.event.childproc"}

Environment

  • EDR Server (formerly CB Response): All Versions
  • Hosted EDR Server (formerly CB Response Cloud): All Versions
  • CB Event Forwarder: 3.7.2 previous versions.

Cause

This is due to an issue in the product.

Resolution

The issue has been fixed on Event Forwarder releaser 3.7.2.
Powered by Wolken Software