You can investigate and analyze the details of every observation stored in the Carbon Black Cloud, including both failed and successful operations performed by applications and processes on endpoints.
- Tabs do not display on the Investigate page for Carbon Black Cloud Endpoint Standard-only customers. The default view is Observations.
- The Observations, Processes, and Auth Events tabs are only available for Carbon Black Cloud Enterprise EDR customers.
- As of 26 September 2023, Enriched Events is removed from the console. It is replaced with Observations.
You can collect the data from your search results and, based on the details for your observations and processes, you can take action.
The Investigate page provides an embedded Search Guide to assist with creating queries. Use advanced search capabilities to find more detailed information on alerts, conduct investigations, and gain visibility into the prevalence of events, observations, and processes reported from your environment. See also Advanced Search Techniques in the main section of the user guide.
Value Search
Use complete values when searching. For example, powershell
or a trailing wildcard: power*
.
Search Fields
Form queries that contain search fields: field:term
. For example, parent_name:powershell.exe
.
Wildcards
Expand queries using wildcards. ?
matches a single character. For example, te?t
returns results for "test" and "text". *
matches zero or more sequential characters. For example, tes*
returns results for "test," "testing," and "tester".
Leading wildcards are assumed in file extension searches. For example, process_name:.exe
.
You can use wildcards in a path if you do not quote the value, and if you escape the following special characters with a backslash: + - && || ! ( ) { } [ ] ^ " ~ * ? : /
. For example, to search for (1+1):2, type: \(1\+1\)\:2
.
Operators
You can refine queries by using operators. Operators must be in uppercase.
- AND returns results when both terms are present.
- OR returns results when either term is present.
- NOT returns results when a term is not present.
There is an implicit "AND" even when the the operator is not used. In the following examples, both queries produce identical results.
- In this example, the "AND" is implied.
Process_name:X process_effective_reptuation:X
- In this example, the "AND" is part of the query.
Process_name:X AND process_effective_reptuation:X
Escaping
Slashes, colons, and spaces must be manually escaped, except when using suggestions and filters.
Date/Time Ranges
You can refine queries by using date/time ranges. For example, device_timestamp: [2022-10-25T14:00:00Z TO 2022-10-26T15:00:00Z]
.
Count Searches
You can refine queries that include counts together with ranges and wildcards.
-
[3 TO *]
returns count results starting with a value of 3. -
[* TO 10]
returns counts results up to a value of 10.