Environment
- Carbon Black Cloud Console: All Versions
- Data Forwarder: endpoint.event
Question
Are Data Forwarder filter queries case sensitive?
Answer
Yes, there are situation where the explicit filtering is case sensitive because the Carbon Black Cloud Backend does a direct string/rune match (ie: process_path == "some value"), and with single/multi character wildcards, (ie "X" != "x"). However, for the following query types the Carbon Black Cloud Backend changes everything to lowercase before comparing against events (thus making the following types of queries not case-sensitive):
- CIDR (in the case of ipv6)
- Field
- Quoted Field
- Wildcard
- Fuzzy
Additional Notes
For example: If the sensor reported process_path:"c:\windows\explorer.exe" and the WebUI set an exclusion filter of process_path:"C:\Windows\Explorer.exe", the reported event would not be filtered out and therefore will be forwarded. Specifically, in this use case of C:\Windows\Explorer.exe, (c:\windows\explorer.exe != C:\Windows\Explorer.exe) because the data forwarder is designed like: so:: c != C (c:\ vs C:\) and w != W (windows vs Windows) and E != e (Explorer vs explorer). So to be able to exclude both of the following examples, the EXCLUDE filter would have to read: parent_cmdline:"C:\windows\Explorer.EXE" OR parent_cmdline:"C:\WINDOWS\Explorer.EXE".
