Environment
- Carbon Black Cloud: All supported versions
- Enterprise EDR: All supported versions
- Endpoint Enterprise: All supported versions:
- CB-API: All supported versions
Symptoms
- A CB-API script is only returning a subset of child processes seen in the Enterprise EDR UI.
- The same CP-API script will return different numbers of child processes when rerun repeatedly and quickly.
Cause
The script call cb.select(Event) is querying multiple segments, and reporting back the # children before all segments have reported back.
Resolution
- Because this is a timing issue, a workaround is to build in a delay when performing this call like so:
// Waits for event segments to be fetched
events_query = proc.events(event_type="filemod")
events_query[0]
while events_query._total_segments != events_query._processed_segments:
events_query[0]
Additional Notes
- This discrepancy will be fixed in upcoming process search v2 architecture.
- This script will reproduce the original problem:
from cbapi.psc.threathunter import CbThreatHunterAPI, Process
cb = CbThreatHunterAPI()
#grab a process for the guid we're interested in
query = cb.select(Process).where("process_guid:76DFDR97-011727a1-00004ff0-00000000-1d62913656d920a")
for proc in query:
print(proc.process_guid)
print("Filemods: {}".format(proc.filemod_count))
print("Regmods: {}".format(proc.regmod_count))
print("Modloads: {}".format(proc.modload_count))
print("Crossprocs: {}".format(proc.crossproc_count))
print("Childprocs: {}".format(proc.childproc_count))
for e in proc.events(event_type="filemod"):
if "mp4" in e.filemod_name:
print(e.filemod_name)
