Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

CBC: Question on number of devices in the message: " {hash} has been seen on 1185 devices in your organization over the last six months"

CBC: Question on number of devices in the message: " {hash} has been seen on 1185 devices in your organization over the last six months"

Environment

  • CBC Console: All versions
  • CBC Sensors: All versions

Question

Why is there a difference in total number of devices when adding a hash to the Company Banned hash list, an informational modal window appears stating:

{hash} 'has been seen on X devices in your organization over the last six months'.

where X = number of devices detected. However, performing a search for the same hash in the Investigate page (even with 'all available' timeline), only a small fraction of X devices may be returned.


Answer

The X number of devices in the modal information window reflects all the devices where the hash was detected in the last six months, as stated. On the other hand, CBC only retains events for the last 30 days, so only those sensors are reported with a query on the hash in question.

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎08-24-2022
Views:
101
Contributors