logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

EDR: Why do the Counts Differ Between the Search Page and Process Analysis Page

EDR: Why do the Counts Differ Between the Search Page and Process Analysis Page

Environment

  • EDR Servers: 7.1 and higher

Question

Why do the netconn counts differ between the Process Search page and the Process Analysis page?
 

Answer

  • The Process Search count is the running total for the process, the Process Analysis is the number within the given Solr segment.  There are two reasons the counts differ:
            A) The older netconns aged out of the Solr core segments (count is lower in the Analysis page) or
            B) The sensor was restarted while storing to the current segment reseting the total (count is lower in the Search page).

Additional Notes

  • To confirm the EDR console is reporting the correct numbers,
               a) Pull the raw document for that event.  Run a curl command, on the standalone server or the minion used by the sensor, using the GUID (first string in the Process Analysis URL). 
curl 'http://localhost:8080/solr/reader/select?q=id:<uniqueid>*&wt=json&indent=true&rows=400&debug=track&sort=last_server_update%20asc' >> rawprocdoc.json
               b) Extract the number of complete netconns which occurred in that segment until the current time.  This number should match the Process Analysis total of netconns (Confirm the timeline is completely expanded). 
egrep 'timestamp.*protocol.*direction.*local_ip.*local_port.*remote_ip' <rawprocdoc.json> | grep -v Response | wc -l]
               c) Determine if the sensor was restarted at anytime during this solr segment. 
grep '"netconn_count":0,' <rawprocdoc.json> | grep -v Response
  • The netconn number displayed on the Process Search page reflects the running total of netconns for the given process.  When the Process Search page displays a number lower than the netconns listed in the Process Analysis page, this indicates the sensor restarted while the event process was running.  Confirmation can be noted in the raw document by searching for netconn_count being reset to 0.
  • When the Process Search page displays a number greater than the netconns listed in the Process Analysis page, this indicates the event ran over several segments (expand the timeline) or some netconns occurred several days earlier and may have aged out of the Solr data store.  Confirmation can be found in the raw document with the first netconn_count is greater than 0.  
  • The Process Search result lists all of the segments of any processes that match the search criteria. Checking 'group by process' option will collapse these into one row per unique process. Selecting one of these segments will then show all the events based on the timeline selected above.
  • The netconn numbers represent "The number of network connections that the execution of this process either attempted or established.
  • The number of netconns displayed Process Analysis page should match the number of netconns exported.

Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎05-13-2022
Views:
257
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.