Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: Process Analysis shows fewer events than listed in Process Search results

EDR: Process Analysis shows fewer events than listed in Process Search results

Environment

  • EDR Server: 6.x and Higher

Symptoms

  • The number of events shown on the Process Analysis page does not match the number of events associated with the process in search results.
  • Events associated with an alert do not appear in the Process Analysis page

Cause

  • Minor discrepancies are caused by the Fuzzy Facets feature which returns an estimated guess of each event count
  • Numbers off by hundreds or thousands of events are caused by a limit on the number of events per page returned in Process Analysis

Resolution

  1. To view all events of a process, the timeline on the Process Analysis page must be fully expanded
  2. Each page contains a predetermined set of 500 events, to view other events in the process, click through each page

Additional Notes

Feature Request has been created to allow the ability for searching all pages of events in the Process Analysis page:
https://community.carbonblack.com/t5/Idea-Central/Search-all-pages-of-an-Event-in-the-Process-Analys...

Related Content


Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎11-15-2017
Views:
874
Contributors