Environment
- Carbon Black Cloud: All Versions
Symptoms
- Alerts generated for processes such as lsass.exe or services.exe whose parents are not wininit.exe. Further investigation shows that wininit.exe is listed as the parent.
- Searching for the process and -parent_name:wininit.exe also return incorrect results.
Cause
The parent process in the metadata contains a longer name which does not match the search completely.
Ex. $$deletemewininit.exe*
Resolution
Workarounds
- The parent_name field will need wildcards before and after the name.
- ex. For the query SANS Unusual Services.Exe Parent
Original Query:
((process_name:services.exe parent_name:* -parent_name:wininit.exe -parent_name:winlogon.exe)) -(legacy:true OR enriched:true)
Fixed Query:
((process_name:services.exe parent_name:* -parent_name:*wininit.exe* -parent_name:*winlogon.exe*)) -(legacy:true OR enriched:true)
- To continue to receive alerts for the intended query, create a new watchlist with new reports based on the modified searches as custom reports
- Create a custom watchlist - https://docs.vmware.com/en/VMware-Carbon-Black-Cloud/services/carbon-black-cloud-user-guide/GUID-B33...
- Copy the report query causing the false positive to the Investigate page.
- Run the query to confirm events match expected results
- Select "Add search to threat report"
- Select the new watchlist name and Save
- In the Sans watchlist, disable the report causing the false positive alert.
Related Content