CB Response: Watchlists Malformed Syntax in Search Query when Created with Add Criteria
search cancel

CB Response: Watchlists Malformed Syntax in Search Query when Created with Add Criteria

book

Article ID: 284971

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • Watchlists malformed syntax in search query error message in the console. 
  • New watchlists receiving error and not running
  • Watchlists begin with cb.q.<term>
  • Error messages within /var/log/cb/job-runner/job-runner.log : 
2019-12-31 00:02:20 [18239] <err>  [watchlist_search] Watchlist Tamper Detection (1763) exception
Traceback (most recent call last):
  File "/usr/share/cb/virtualenv/lib/python2.7/site-packages/cb/maintenance/jobs/watchlist_searcher.py", line 123, in execute
  File "/usr/share/cb/virtualenv/lib/python2.7/site-packages/cb/maintenance/jobs/watchlist_searcher.py", line 235, in _query_solr
  File "/usr/share/cb/virtualenv/lib/python2.7/site-packages/cb/maintenance/jobs/watchlist_searcher.py", line 292, in _query_solr_single_step
KeyError: 'q'

 

Environment

  • Carbon Black Response Console: 6.3.0 to 6.4.1

Cause

When creating a watchlist query in the binary search page, utilizing the "+Add Criteria" then creating a watchlist will create an incorrect search syntax
Example: cb.q.md5=aaed7e24d066c5ce492ec6efd438c509&cb.urlver=1

Resolution

  1. To correct an existing watchlist, edit the query on the watchlist page. Utilizing our example, change cb.q.<term>= to q=<term>:
    • Example. cb.q.md5=aaed7e24d066c5ce492ec6efd438c509
      To: q=md5:aaed7e24d066c5ce492ec6efd438c509
  2. Upgrade to server version 6.5.0 for future watchlist creations.

Additional Information

  • Fixed in Server Version 6.5.0 - CB-27062
  • To workaround in 6.3.0 to 6.4.1
    • Create new watchlists by manually typing the terms instead of the add criteria drop down. Ex. md5:aaed7e24d066c5ce492ec6efd438c509