Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] Alerts of type watchlist.hit.query.* from My Watchlists Feed Occasionally Missing ioc_attr and ioc_value Data Members #259

Open
jjfallete opened this issue Jul 29, 2020 · 0 comments
Assignees
Labels

Comments

@jjfallete
Copy link
Contributor

jjfallete commented Jul 29, 2020

I am seeing this behaviour on: (please complete the following information):

  • OS: Windows
  • Carbon Black Product: CB EDR (Response)
  • Python Version: 2.7

Describe the bug
Some alerts from the "My Watchlists" feed_name contain neither an ioc_attr nor an ioc_value data member.

Steps to Reproduce
Steps to reproduce the behavior (Provide a log message if relevant):

Create watchlist named "Suspicious Symbolic Link Write" with query:

cb.urlver=1&q=filemod:.slk AND -process_name:fakeprocess.exe AND -(path:e:\fakeprocess*\fakeprocess1.exe AND hostname:fakehost*) AND -(path:c:\program\ files*\fake\ process\ test\cb\ query\fakeprocess2.exe)

Wait for an alert to come in.

Query the alert:

cb = CbResponseAPI()
alerts = cb.select(Alert).where("status:Unresolved")
for alert in alerts:
    if 'Suspicious Symbolic Link Write' in alert.watchlist_name:
        print(str(alert))
        break

Notice neither an ioc_attr nor an ioc_value data member are present in the output.

Expected behavior
ioc_attr would return with something like:

['PREPREPREprocess.exePOSTPOSTPOST']

ioc_value would return with something like:

{"index_type":"events","search_query":"cb.urlver=1&q=filemod%3A.slk%20AND%20-process_name%3Afakeprocess.exe%20AND%20-%28path%3Ae%3A%5Cfakeprocess%2A%5Cfakeprocess1.exe%20AND%20hostname%3Afakehost%2A%29%20AND%20-%28path%3Ac%3A%5Cprogram%5C%20files%2A%5Cfake%5C%20process%5C%20test%5Ccb%5C%20query%5Cfakeprocess2.exe%29"}

Screenshots
N/A

Additional context
N/A

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants