Environment
- CB ThreatHunter PSC Console: March '19 release and later
Symptoms
Cause
This is expected behavior because Threat Reports require all search terms to include a field name (such as process_name, process_cmdline, etc.)
Resolution
- Check the query for any search terms that do not include a field name
- Add the missing field names
- The query can now be saved as a Threat Report
Additional Notes
- Value Search was added in the March PSC release, which added the ability to perform searches across all fields for a given term without designating a specific field
- Threat Reports still require a specified field for each search term
- It only takes one missing field name to prevent saving as a Threat Report
- A successful query cannot always be saved as a Threat Report due to this distinction
Related Content