The Investigate page lets you specify a search query. When building your query, you can encounter the enriched search field as a suggestion. Use the improved enriched field to find all enriched sensor data (determined to be of interest based on types of behavior that can be associated with malicious activity) by the Carbon Black Cloud Analytics engine. When set to true, this field contributes to more accurate search results in the Processes tab. The Enriched Events tab lists enriched events without the need to specify enriched:true in the search query.

You can limit the results to only enriched data from the Carbon Black Cloud Endpoint Standard-enabled sensors by including the enriched:true as part of your search query. To include only non-enriched data, add the -enriched:true to your search. The Investigate search interface no longer accepts the legacy:true searchable field. You must use the enriched field instead.

To be able to take advantage of the enriched data, enable the Carbon Black Cloud Endpoint Standard and the Carbon Black Cloud Enterprise EDR solutions.

Important: When working with Indicators of Compromise, (IOCs) such as hashes, IPs, domains, or queries, it is a best practice to exclude the enriched data. If you include the following process fields in your IOC query, make sure you exclude the enriched segments by setting the -enriched:true. You can thereby minimize the false positives and negatives.
process_publisher_state process_elevated modload_hash
process_publisher process_integrity_level modload_name
process_product_version process_privileges modload_publisher
process_original_filename childproc_count modload_publisher_state
process_file_description crossproc_count scriptload_content
process_product_name filemod_count scriptload_content_length
process_company_name netconn_count scriptload_hash
process_internal_name regmod_count scriptload_name
parent_publisher_state scriptload_count scriptload_publisher_state
process_service_name modload_count --

IOC query excluding enriched data:

process_name:sethc.exe -process_file_description:" Accessibility\shortcut\keys" - process_file_description:" Windows\NT\High\Contrast\Invocation") -enriched:true