You can search for multiple IOCs by using bulk search criteria in both the Process Search and Binary Search pages.

Although you could just enter a chain of “ORed” terms, Carbon Black EDR provides special interfaces for bulk searches that do this for you when given a list of terms. You can type or paste multiple terms into a bulk search text box, following these syntax requirements:

  • Each term must be on its own line.

  • No punctuation is required or allowed (for example, no comma-separated lists or parentheses).

  • You must use the “ipaddr:” prefix to successfully use a list of IP addresses in a bulk search.

  • For most other types of data, such as md5, prefixes are optional but more efficient. See See Fields in Process and Binary Searches for a table of search criteria types and their prefixes.

If a bulk search is initiated using terms without prefixes, the search is treated as a generic text search and will match the terms listed to any field. In the case of IP addresses without the “ipaddr” prefix, the search will fail because the terms are dealt with as individual numbers rather than four-part addresses.

Bulk IOC searches can be added to other search criteria or used as the only criteria for a search.

Search with Multiple (Bulk) Criteria on the Process Search Page

Perform the following procedure to do a bulk IOC search on the Process Search page.

Procedure

  1. On the navigation bar, click Process Search.
  2. On the Process Search page, unless you have already entered some terms to include in your search, click the Reset Search button under the search box to start with a fresh search.
  3. Click Add Search Terms. Click the Choose Criteria drop-down menu and click Bulk IOC > IOCs.
  4. In the text box, type or paste the list of IOCs to search for, making sure they meet the syntax requirements described in this section.
    cbr-search-process-bulk
  5. For most search criteria, you are probably interested in records that match one of the items on your list; however, you also can choose to get results that do not match your terms. Use the is / is not toggle in the dialog to make this choice.
  6. To include additional search criteria, click the Add search term link.
  7. When you have finished defining your search, click the Add terms button.
    Your search is initiated and the results (if any) are shown in the table on the Process Search page. If necessary, you can continue to refine your search by using the search facet tables or you can manually enter terms.

Search with Multiple (Bulk) Criteria on the Binary Search Page

Perform the following procedure to do a bulk IOC search on the Binary Search page

Procedure

  1. On the navigation bar, click Binary Search.
  2. On the Binary Search page, unless you have already entered some terms to include in your search, click the Reset Search Terms button to start with a fresh search.
  3. Click the Add Criteria dropdown menu and, under Bulk search, select IOCs.
  4. In the text box, type or paste the list of IOCs to search for, making sure they meet the syntax requirements described in this section.
  5. Click Update to apply the search terms.
    Your search is initiated and any results are shown in the table on the Binary Search page. If necessary, you can continue to refine your search using the search facet tables or by manually entering terms.