EDR: Watchlists Malformed Syntax in Search Query when Created From Threat Intel Feed
book
Article ID: 287258
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
Watchlists malformed syntax in search query error message in the console.
New watchlists receiving error and not running
Watchlists begin with cb.q.<term>
Environment
EDR Server: 6.5.2 and Higher
Cause
When creating a watchlist query via an active Threat Intel Feed will create an incorrect search syntax. Example: cb.q.alliance_score_cbtamper=[50 TO 100]&cb.urlver=1
Resolution
To correct an existing watchlist, edit the query on the watchlist page. Utilizing provided example, change cb.q.<term>= to q=<term>:
Example: cb.q.alliance_score_cbtamper=[50 TO 100]&cb.urlver=1 To: cb.urlver=1&q=alliance_score_cbtamper:[50 TO 100]
Additional Information
This issue is fixed in 7.4.0 This is tracked by Engineering under CB-29925