Version

5.2.x

Issue

Watchlists containing cmdline: are returning unexpected results.

Cause

When child processes are suppressed in 5.2 their data becomes "Bundled" with the parent process data. The watchlist looking at all of the process data, including the bundled child process command line, will trigger.

Solution

Although this result is expected, as the data does indeed meet the watchlist query, you can "unbundle" the parent and child process data by disabling the suppression in the sensor groups.

This will result in the two items being separate going forward, so it will not trigger the watchlist, but it will result in more documents being created on the Carbon Black Response server, which will reduce your current retention.