ATP or SEDR reports that a STIX file is invalid when it contains Fuzzy_Hash_Value entries.

book

Article ID: 171795

calendar_today

Updated On:

Products

Endpoint Detection and Response Advanced Threat Protection Platform

Issue/Introduction

When a STIX file is uploaded for an Entity search, you are told the STIX file is invalid. You may also see a warning stating the file contains invalid objects.

Error in expression: STIX file invalid. Upload a valid STIX file.

Warning in expression: SEDR only supports file hash queries. Unsupported objects were detected in the file and not included in the query.

Cause

These errors are due to entries in the STIX file for 'Fuzzy_Hash_Value' which the SEDR software does not support searches for.

Resolution

Starting with ATP 3.2, the ATP/SEDR software ignores Fuzzy_Hash_Value entries in STIX files. If they are found, you receive the following warning:

Attachments