logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

CBC Data Forwarder: The custom query filter's "process_username" field does not seem to be filtering.

CBC Data Forwarder: The custom query filter's "process_username" field does not seem to be filtering.

Environment

  • Carbon Black Cloud Backend:  1.20 (as of December, 2023)
  • Carbon Black Cloud Sensor:     All versions

Symptoms

For example, this custom query for the user "system" does not filter:

process_username:system

Cause

There are a few syntax differences between the Data Forwarder custom query tool and the Investigate/Watchlist pages.
One of those is that the process_username is NOT tokenized in the Data Forwarder custom query. 
So for this case, "system" will not be a match for, say, "NT AUTHORITY\SYSTEM"

Resolution

For the Data Forwarder, use wildcards to match the entire string as so: 
process_username:*\\system

Related Content

Syntax Tips for Custom Query Filters: 
Syntax Tips for Custom Query Filters

Labels (1)
Labels:
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎12-10-2023
Views:
125
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.