Environment
- Carbon Black Cloud Console: All Versions
- Audit & Remediation (was CB LiveOps)
- Endpoint Standard (was CB Defense)
- Enterprise EDR (was CB ThreatHunter)
- Managed Detection (was CB ThreatSight)
Objective
Provide guidance on improving search results on the Endpoints page when trying to find devices with complex names which include dashes/hypens or other special characters or where there can be more than one device with a given name
Special Characters on Endpoints page
- ~ ( ) [ ] { } ^ | & " :Resolution
Finding the right Endpoint when there is more than one match or where there are complex Device Names (those including the special characters above) can require more complex searches to locate the desired Device and not partial matches
- Searching just on a Device Name works as a plain-text search across all fields, there is no implied use of Device Name
Example search: Win-10-Laptop-0123
Results will include Win OR 10 OR Laptop OR 0123 present in any field
- Use specific fields to search on specific pieces of information
Example search: name:Win-10-Laptop-0123
Results will be narrowed to Win OR 10 OR Laptop OR 0123 only in the Device Name
- Use more than one instance of the 'name:' field to search for all of the parts of the Device Name
Example search: name:Win name:10 name:Laptop name:0123
Results will be narrowed to Win AND 10 AND Laptop AND 0123 only in the Device Name
- Use negation ("-", "AND NOT") to exclude criteria where additional devices are returned
Example search 1: name:Win name:10 -name:Desktop -name:012345 -name:.domain.org
Results will be narrowed to Device Names including Win AND 10 and excluding Desktop AND 012345
- Use other available fields to further narrow results
Example search: name:Win name:10 name:Laptop loginUserName:"Carl Weathers"
Results will be narrowed to Device Names including Win AND 10 AND Laptop and where the User field shows Carl Weathers
Additional Notes
- Special characters act as breaks or delimiters rather than part of a string
- Searching on the Endpoints page can be an iterative exercise depending on the number of devices sharing similar portions of their name, especially when there are naming conventions in place in the provisioning of devices for an organization
- Useful search fields for the Endpoints page
deviceId: (Have to know it first, can be found in C:\Program Files\Confer\cfg.ini directly on an endpoint)
email: (formerly known as Installed by, not always the best way to find a device)
lastExternalIpAddress: (good to use if IP is known)
lastInternalIpAddress: (good to use if IP is known)
loginUserName: (information in the User column, intended to be the Last Logged on User for Windows 3.5.x.x+ or for Mac 3.0.x.x+, and Linux Sensors 2.8.x.x+)
macAddress: (currently only populated for Mac devices)
name: (Device Name column)
sensorVersion: (Can be used to filter by specific builds)
