Environment
CB: Cloud Management Console
Symptoms
Some Carbon black reports cannot be edited in the CB console, as the edit button is missing
Cause
Custom generated reports have data in a “link” field that should have a NULL value. Any time the link field has a value, the edit button will not be shown, which is by design. The link field is meant to be used to point to an external source of data, which in turn would populate data in the report automatically. When the link field is properly used, the edit button is hidden because the report is automatically updated via the link and by design should not be editable in the console.
Resolution
Remove the link field from any report that needs editing using API calls. The following instructions use the Postman application (https://www.postman.com/downloads/) to perform the necessary API calls
- Within the Carbon Black console, create and capture an API Key credential that has an Access Level of Create, Read, and Update permissions for org.watchlists and org.feeds. Also capture the Org ID. This is don’t in the Settings > API Access section of the console.
- In the CB Console, navigate to a watchlist report that does not have the edit button exposed. Note the second to the last section of the URL, which is the report ID. For instance, the report ID in this URL is “H9iEDZMSEGnI08gP7lg2w”
https://defense-prod05.conferdeploy.net/enforce/watchlists/report/H9iEDZMSEGnI08gP7lg2w/NglkiJQYSHC2SY9msdb5mA
- In the postman APP, do a GET for the report. Use these parameters. In the header, replace <APISecretKey> and <APIID> with the credentials captured in step 1. In the URL., Replace <Org ID> with your organization ID captured in step 1, and <ReportID> with the report ID captured in step 2
Headers:
X-Auth-Token <API Secret Key>/<API ID>
Content-Type application/x-www-form-urlencoded
URL:
GET https://defense-prod05.conferdeploy.net/threathunter/watchlistmgr/v3/orgs/<OrgID>/reports/<ReportID>
- Note the first “link” field returned by the API GET call. When that link field has a value (not NULL) that is what causes the console to hide the Edit button. This needs to be replaced with a “null” value. For instance, note the bolded “link” section below
{
"id": "00360a4bde631bfe261d31a0f57feb29",
"timestamp": 1583258733,
"title": "Critical:Def_EYS_190810_v1_AbuseofCertutil",
"description": "TLP:AMBER - This logic detects instances where certutil is used to decode a file. Adversaries use this technique to evade defenses. Response could include validating benign versus malicious, coordination with system owner org., unusual network connection preceding or following detection. Deobfuscate/Decode Files or Information Defense Evasion T1140 attack.mitre.org/techniques/T1140/",
"severity": 9,
"link": "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md",
"tags": null,
"iocs": null,
"iocs_v2": [
{
"id": "00360a4bde631bfe261d31a0f57feb29",
"match_type": "query",
"values": [
"((process_name:cmd.exe AND process_cmdline:certutil AND process_cmdline:\\-decode) OR (process_name:certutil.exe AND process_cmdline:\\-decode)) -legacy:true"
],
"field": null,
"link": null
}
]
}
- Copy the whole text from above, and create and send a new API PUT call with the following parameters:
Headers:
X-Auth-Token <API Secret Key>/<API ID>
Content-Type application/x-www-form-urlencoded
URL:
PUT https://defense-prod05.conferdeploy.net/threathunter/watchlistmgr/v3/orgs/<OrgID>/reports/<ReportID>
Body:
Note the edit in the bolded section, where the URL in the “link” field has been replaced with a null value, this is what fixes this issue
{
"id": "00360a4bde631bfe261d31a0f57feb29",
"timestamp": 1583258733,
"title": "Critical:Def_EYS_190810_v1_AbuseofCertutil",
"description": "TLP:AMBER - This logic detects instances where certutil is used to decode a file. Adversaries use this technique to evade defenses. Response could include validating benign versus malicious, coordination with system owner org., unusual network connection preceding or following detection. Deobfuscate/Decode Files or Information Defense Evasion T1140 attack.mitre.org/techniques/T1140/",
"severity": 9,
"link": null,
"tags": null,
"iocs": null,
"iocs_v2": [
{
"id": "00360a4bde631bfe261d31a0f57feb29",
"match_type": "query",
"values": [
"((process_name:cmd.exe AND process_cmdline:certutil AND process_cmdline:\\-decode) OR (process_name:certutil.exe AND process_cmdline:\\-decode)) -legacy:true"
],
"field": null,
"link": null
}
]
}
- You should now be able to edit the report in the CB console.
Additional Notes
This should ONLY be used on watchlist reports that were customer created. This should NOT be used on a published report that was subscribed to.
