Environment
- Carbon Black Cloud Console: All Supported Versions
- Enterprise EDR (Formerly CB ThreatHunter)
Symptoms
Searches that negate a parent_cmdline are returning incorrect results by not filtering processes that match the criteria.
Cause
The parent process' cmdline is captured when a childproc is noticed by the sensor, but the Parent Process may have already exited.
Resolution
Adding parent_cmdline:* to your query will perform an existence check for process documents that contain parent_cmdline values.
Additional Notes
parent_cmdline:* could cause False Negatives
Related Content
