Environment
- EDR Server: All Versions
- ThreatConnect Playbook Connector
Symptoms
- The feeds for the ThreatConnect playbook connector only sync every 24 hours during the cron for the FULL sync.
- Incremental syncs run via the cron job do not update the ThreatConnect threat reports
Cause
The timestamps in the ThreatConnect json data are not being updated correctly by ThreatConnect.
Resolution
The ThreatConnect playbooks must be setup to regularly update the timestamps in the json files when changes are applied. The feed sync job will only pull new infromation when the timestamp shows a value that is past the time it last synced.