CB Response: Threat Report IOC is unavailable on process analysis page
Article ID: 292481
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
When viewing the process analysis page of a process tagged with a threat report, the following message is presented under the Alliance Feeds section:
The process has been tagged with the following reports: Report "$report_name_here" from feed $feed_name_here. If not on the current page, the report(s) are either unavailable, or the tagged events are on another page.
Environment
- CB Response Server: All Versions
Cause
If the tagged events are not on another page, the feed owner has updated the feed by removing the IOC from the threat report.
Resolution
As IOC's are removed from threat reports, the process events that display the IOC data are no longer able to query the database for the information since it no longer exists. This is working as designed.
Additional Information
- This behavior will appear more often for feeds that are frequently updated. What is happening here, and this is standard operating behavior, is that on ingress of the process and event data by the sensor, the process document (event) contains an IOC that matches an IOC in the report and therefor is being tagged with the feed report. However, when the feed is updated, and since we do not store old versions of the feed, the new feed report no longer contains the IOCs that tagged the process document when it was originally added. Since we store that the hit occurred but not which event caused the hits, we re-match the IOCs when processing the API request and if the IOC is no longer there, the API call cannot match it. For this reason, there is a scenario in which you do not see any marked events in the UI even though it still indicates that the process document (event) was tagged by the feed report.
- If the tagged events are sha256, see related content section for a known issue.
Feedback
Yes
No
Powered by
