Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: Alerts page searching on device_name field containing hyphens-dashes returns additional alerts for other device names containing hyphens-dashes.

Carbon Black Cloud: Alerts page searching on device_name field containing hyphens-dashes returns additional alerts for other device names containing hyphens-dashes.

Environment

  • Carbon Black Cloud Console: All versions
  • Carbon Black Cloud Sensors: All versions

Symptoms

Searching the Alerts page for device_name: AAA-XYZ returns alerts for any device_name ending in "-XYY" (i.e. BBB-XYZ, CCC-XYZ, etc)

Cause

This is functioning as designed. The alerts page uses Elasticsearch as underlying search engine. This engine requires special characters be escaped, including device_name field

Resolution

  1. To achieve the desired result, place the name of the device in double-quotes as so:
alerts query ->  device_name:"AAA-XYZ"

will only return alerts for AAA-XYZ

 

Additional Notes

The Investigate page's device_name does NOT need escaping, so it is different behavior (due to a different search engine) than the Alerts page.

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎10-03-2022
Views:
108
Contributors