You can investigate and analyze the details of every event stored in the Carbon Black Cloud, including many failed and successful operations performed by applications and processes on endpoints.

Note: The Processes and Auth Events tabs are only available for Carbon Black Cloud Enterprise EDR only customers.

You can collect the data from your search results and, based on the details for your observations and processes, you can take action.

Note: When using a search query including either enriched:true or legacy:true, some data fields can populate with an empty placeholder value. Empty values are unlikely to appear in non-legacy data results.

The Investigate page provides an embedded Search Guide to assist with creating queries. Use advanced search capabilities to find more detailed information on alerts, conduct investigations, and gain visibility into the prevalence of events, observations, and processes reported from your environment.

Value Search

Use complete values when searching. For example, powershell or a trailing wildcard: power*.

Search Fields

Form queries that contain search fields: field:term. For example, parent_name:powershell.exe.

Wildcards

Expand queries using wildcards. ? matches a single character. For example, te?t returns results for "test" and "text". * matches zero or more sequential characters. For example, tes* returns results for "test," "testing," and "tester".

Leading wildcards are assumed in file extension searches. For example, process_name:.exe.

You can use wildcards in a path if you do not quote the value, and if you escape the following special characters with a backslash: + - && || ! ( ) { } [ ] ^ " ~ * ? : / . For example, to search for (1+1):2, type: \(1\+1\)\:2.

Operators

You can refine queries by using operators. Operators must be in uppercase.

  • AND returns results when both terms are present.
  • OR returns results when either term is present.
  • NOT returns results when a term is not present.
Important: Be aware of the implicit "AND"

There is an implicit "AND" even when the the operator is not used. In the following examples, BOTH queries work the same and produce identical results.

  • In this example, the "AND" is implied.
    Process_name:X process_effective_reptuation:X
  • In this example, the "AND" is part of the query.
    Process_name:X AND process_effective_reptuation:X

Escaping

Slashes, colons, and spaces must be manually escaped, except when using suggestions and filters.

Date/Time Ranges

You can refine queries by using date/time ranges. For example, device_timestamp: [2022-10-25T14:00:00Z TO 2022-10-26T15:00:00Z].

Count Searches

You can refine queries that include counts together with ranges and wildcards.

  • [3 TO *] returns count results starting with a value of 3.

  • [* TO 10] returns counts results up to a value of 10.