logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Enterprise EDR: Searches on event_description for TCP or UDP connections give odd results

Enterprise EDR: Searches on event_description for TCP or UDP connections give odd results

Environment

  • Carbon Black Cloud Console: All Versions
    • Enterprise EDR (was CB ThreatHunter)

Symptoms

Searching for network connections using event_description and keywords for inbound (accepted a... connection) or outbound (established a... connection) return no results 
Examples
event_description:"accepted a TCP/80 connection from"
event_description:"accepted a UDP/5222 connection from"
event_description:"established a TCP/443 connection to"
event_description:"established a UDP/443 connection to"

Cause

Tokenization of event_description information includes HTML tags

Resolution

Potential fix being tacked under DSER-24749, watch this article for updates

Additional Notes

One way to work around this scenario is to break up the search into smaller chunks using AND operators to still look for all of the phrase being searched for 
event_description:("accepted a" AND  "TCPP/80" AND "connection from")
event_description:("accepted a" AND  "UDP/5222" AND "connection from")
event_description:("established a" AND  "TCP/443" AND "connection to")
event_description:("established a" AND  "UDP/443" AND "connection to")

Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎09-09-2020
Views:
257
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.