Environment
- Cb Response 6.x
Symptoms
- Filtering by the feed facet, does not show any results even though it lists a hit
- When searching for an event related to a feed hit in Process Analysis, the event is not flagged as a hit
Cause
The feed is most likely a query based feed, which is not expected to have an exclamation mark next to the event. Query based feeds by their nature have IOCs that are not single indicators, for example MD5 or IP address, but are queries that may be a combination of terms, like process_name and command line. These IOCs cannot be matched to a single event in the event rows. Even if one term contains an event like regmod, the cost of isolation from the entire query is too intensive.
Similarly, feed based facets will not filter events down to find the event portion of the query. Filtering by feed name leads to 0 events on all pages because the query is not a 1 to 1 match to the query.
For example, a hit on the Advanced Threats Feed - 'regmod:software\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\ExecutionPolicy -process_name:powershell*regmod' will not have a flag on the events list nor will filtering on the feed list the event. The query has '-process_name:powershell.exe' while the event just has the regmod match.
Resolution
- When attempting to find an event, search for part of the feed's query in the event search
- If there are too many event pages by default, try narrowing down the list of events by searching for the process and event hit via Process Search.
