This parameter determines whether symbols identified in SolrProcCmdlineSearchSymbols are whitespaced during indexing.

When indexing a process event in Solr, Carbon Black EDR whitespaces certain symbols for the cmdline field. Upon enabling the SolrEnableProcCmdlineSearchWithSymbols parameter, certain symbols are included as part of indexing, and you can also allow search for them.

For example, for this query:

(process_name:cmd.exe cmdline:echo (cmdline:&& or cmdline:&) filemod_count:[1 TO *])

If SolrEnableProcCmdlineSearchWithSymbols=True and SolrProcCmdlineSearchSymbols="&", then "&&" and "&" will not be whitespaced during indexing and are subsequently available for a query.

If SolrEnableProcCmdlineSearchWithSymbols=False, then values in SolrProcCmdlineSearchSymbols are ignored.

Default: False

Note:
  • New in version 7.8.0
  • This setting is only applicable for cmdline and fileless_scriptload_cmdline.