Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: Are Data Forwarder filter queries case sensitive?

Carbon Black Cloud: Are Data Forwarder filter queries case sensitive?

Environment

  • Carbon Black Cloud Console: All Versions
  • Data Forwarder: endpoint.event

Question

Are Data Forwarder filter queries case sensitive?

Answer

Yes, there are situation where the explicit filtering is case sensitive because the Carbon Black Cloud Backend does a direct string/rune match (ie: process_path == "some value"), and with single/multi character wildcards, (ie "X" != "x"). However, for the following query types the Carbon Black Cloud Backend changes everything to lowercase before comparing against events (thus making the following types of queries not case-sensitive):
  • CIDR (in the case of ipv6)
  • Field
  • Quoted Field
  • Wildcard
  • Fuzzy

Additional Notes

For example: If the sensor reported process_path:"c:\windows\explorer.exe" and the WebUI set an exclusion filter of process_path:"C:\Windows\Explorer.exe", the reported event would not be filtered out and therefore will be forwarded. Specifically, in this use case of C:\Windows\Explorer.exe, (c:\windows\explorer.exe != C:\Windows\Explorer.exe) because the data forwarder is designed like: so:: c != C (c:\ vs C:\) and w != W (windows vs Windows) and E != e (Explorer vs explorer). So to be able to exclude both of the following examples, the EXCLUDE filter would have to read: parent_cmdline:"C:\windows\Explorer.EXE" OR parent_cmdline:"C:\WINDOWS\Explorer.EXE".

Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎09-26-2022
Views:
86
Contributors