• Alerts generated for processes such as lsass.exe or services.exe whose parents are not wininit.exe. Further investigation shows that wininit.exe is listed as the parent. 
• Searching for the process and -parent_name:wininit.exe also return incorrect results. 

• Carbon Black Cloud: All Versions
  • Enterprise EDR

• The parent_name field will need wildcards before and after the name. 
  • ex. For the query SANS Unusual Services.Exe Parent

Original Query:
((process_name:services.exe parent_name:* -parent_name:wininit.exe -parent_name:winlogon.exe)) -(legacy:true OR enriched:true)

Fixed Query:
((process_name:services.exe parent_name:* -parent_name:*wininit.exe* -parent_name:*winlogon.exe*)) -(legacy:true OR enriched:true)

• To continue to receive alerts for the intended query, create a new watchlist with new reports based on the modified searches as custom reports
  1. Create a custom watchlist - https://docs.vmware.com/en/VMware-Carbon-Black-Cloud/services/carbon-black-cloud-user-guide/GUID-B337A54A-189B-491E-BD9F-8C00A8BE2D8C.html
  2. Copy the report query causing the false positive to the Investigate page. 
  3. Run the query to confirm events match expected results
  4. Select "Add search to threat report"
  5. Select the new watchlist name and Save
  6. In the Sans watchlist, disable the report causing the false positive alert.