A watchlist that is using a negated md5: search term is generating alerts for processes containing that hash.

• Carbon Black EDR Server: 7.9.1 and below

md5 field does not exist in a watchlist tagged segment within the document. The alert is being generated off of another watchlist hit. 

• Workaround: Update the watchlist to use "process_md5" rather than "md5"
• Fix Version: 7.9.2 Server

• If this issue is generating an overwhelming amount of alerts, contact support for a drop in patch file until the fix version release.