You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am seeing this behaviour on: (please complete the following information):
OS: Windows
Carbon Black Product: CB EDR (Response)
Python Version: 2.7
Describe the bug
Some alerts from the "My Watchlists" feed_name contain neither an ioc_attr nor an ioc_value data member.
Steps to Reproduce
Steps to reproduce the behavior (Provide a log message if relevant):
Create watchlist named "Suspicious Symbolic Link Write" with query:
cb.urlver=1&q=filemod:.slk AND -process_name:fakeprocess.exe AND -(path:e:\fakeprocess*\fakeprocess1.exe AND hostname:fakehost*) AND -(path:c:\program\ files*\fake\ process\ test\cb\ query\fakeprocess2.exe)
Wait for an alert to come in.
Query the alert:
cb=CbResponseAPI()
alerts=cb.select(Alert).where("status:Unresolved")
foralertinalerts:
if'Suspicious Symbolic Link Write'inalert.watchlist_name:
print(str(alert))
break
Notice neither an ioc_attr nor an ioc_value data member are present in the output.
Expected behavior
ioc_attr would return with something like:
I am seeing this behaviour on: (please complete the following information):
Describe the bug
Some alerts from the "My Watchlists" feed_name contain neither an ioc_attr nor an ioc_value data member.
Steps to Reproduce
Steps to reproduce the behavior (Provide a log message if relevant):
Create watchlist named "Suspicious Symbolic Link Write" with query:
Wait for an alert to come in.
Query the alert:
Notice neither an ioc_attr nor an ioc_value data member are present in the output.
Expected behavior
ioc_attr would return with something like:
ioc_value would return with something like:
Screenshots
N/A
Additional context
N/A
The text was updated successfully, but these errors were encountered: