Enterprise EDR: Watchlist IOC is found in the investigate page but not triggered
Article ID: 287451
Updated On:
Products
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Watchlist IOC is found in the Investigate page but not triggered.
Environment
- Carbon Black Cloud Console: All Versions
- Enterprise EDR
Cause
IOC has a missing or incorrect "Field" name.
Resolution
Update or recreate IOC to include "Field" name that work on the Investigate page.
Additional Information
All IOC's must have a "Field" assigned to them. They will be seen either in the IOC itself or using DevTools viewing the IOC. Incorrect "Field" will not produce results on the Investigate page.
Example:
Searching Investigate page for an IP using "netconn_ipv4:152.70.253.207" may trigger results and will work as a watchlist.
"Field" would equal netconn_ipv4 and could be visible in the watchlist IOC or if not defined in the IOC it will be visible in DevTools, not both.
Finding the "Field" value in DevTools
Example:
Searching Investigate page for an IP using "netconn_ipv4:152.70.253.207" may trigger results and will work as a watchlist.
"Field" would equal netconn_ipv4 and could be visible in the watchlist IOC or if not defined in the IOC it will be visible in DevTools, not both.
Finding the "Field" value in DevTools
- Open DevTools
- Navigate to a Watchlist
- Navigate to a Report
- Select an IOC
- In the URL after the word report the IOC ID will be listed
- Find and select the IOC ID in DevTools
- Expand the iocs_v2 and drill down to the IOC and "Field" name
Feedback
Yes
No
Powered by
