CB ThreatHunter: Successful Query Returns "Search Fields are Required" Message When Saving as a Threat Report
Article ID: 288892
Updated On:
Products
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
- A query on on the Investigate page successfully runs and return results
- Clicking on the "Add search to threat report" link results in the following message
Search fields are required to add queries to a watchlist report. To learn more, see the search guide.
Environment
- CB ThreatHunter PSC Console: March '19 release and later
Cause
This is expected behavior because Threat Reports require all search terms to include a field name (such as process_name, process_cmdline, etc.)
Resolution
- Check the query for any search terms that do not include a field name
- Add the missing field names
- The query can now be saved as a Threat Report
Additional Information
- Value Search was added in the March PSC release, which added the ability to perform searches across all fields for a given term without designating a specific field
- Threat Reports still require a specified field for each search term
- It only takes one missing field name to prevent saving as a Threat Report
- A successful query cannot always be saved as a Threat Report due to this distinction
Feedback
Yes
No
Powered by
