The Investigate page lets you specify a search query. When building your query, you can encounter the enriched search field as a suggestion. Use the improved enriched field to find all enriched sensor data (determined to be of interest based on types of behavior that can be associated with malicious activity) by the Carbon Black Cloud Analytics engine. When set to true, this field contributes to more accurate search results in the Processes tab. The Enriched Events tab lists enriched events without the need to specify enriched:true in the search query.
You can limit the results to only enriched data from the Carbon Black Cloud Endpoint Standard-enabled sensors by including the enriched:true as part of your search query. To include only non-enriched data, add the -enriched:true to your search. The Investigate search interface no longer accepts the legacy:true searchable field. You must use the enriched field instead.
To be able to take advantage of the enriched data, enable the Carbon Black Cloud Endpoint Standard and the Carbon Black Cloud Enterprise EDR solutions.
-enriched:true. You can thereby minimize the false positives and negatives.
| process_publisher_state | process_elevated | modload_hash |
| process_publisher | process_integrity_level | modload_name |
| process_product_version | process_privileges | modload_publisher |
| process_original_filename | childproc_count | modload_publisher_state |
| process_file_description | crossproc_count | scriptload_content |
| process_product_name | filemod_count | scriptload_content_length |
| process_company_name | netconn_count | scriptload_hash |
| process_internal_name | regmod_count | scriptload_name |
| parent_publisher_state | scriptload_count | scriptload_publisher_state |
| process_service_name | modload_count | -- |
IOC query excluding enriched data:
process_name:sethc.exe -process_file_description:"
Accessibility\shortcut\keys" -
process_file_description:"
Windows\NT\High\Contrast\Invocation")
-enriched:true
