EDR: Watchlists Malformed Syntax in Search Query when Created From Threat Intel Feed
search cancel

EDR: Watchlists Malformed Syntax in Search Query when Created From Threat Intel Feed

book

Article ID: 287258

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • Watchlists malformed syntax in search query error message in the console. 
  • New watchlists receiving error and not running
  • Watchlists begin with cb.q.<term>

Environment

  • EDR Server: 6.5.2 and Higher

Cause

When creating a watchlist query via an active Threat Intel Feed will create an incorrect search syntax.
Example: cb.q.alliance_score_cbtamper=[50 TO 100]&cb.urlver=1

Resolution

To correct an existing watchlist, edit the query on the watchlist page. Utilizing provided example, change cb.q.<term>= to q=<term>:
  • Example: cb.q.alliance_score_cbtamper=[50 TO 100]&cb.urlver=1
    To: cb.urlver=1&q=alliance_score_cbtamper:[50 TO 100]

Additional Information

This issue is fixed in 7.4.0
This is tracked by Engineering under CB-29925
Powered by Wolken Software