Access official resources from Carbon Black experts
The feed is most likely a query based feed, which is not expected to have an exclamation mark next to the event. Query based feeds by their nature have IOCs that are not single indicators, for example MD5 or IP address, but are queries that may be a combination of terms, like process_name and command line. These IOCs cannot be matched to a single event in the event rows. Even if one term contains an event like regmod, the cost of isolation from the entire query is too intensive.
Similarly, feed based facets will not filter events down to find the event portion of the query. Filtering by feed name leads to 0 events on all pages because the query is not a 1 to 1 match to the query.
For example, a hit on the Advanced Threats Feed - 'regmod:software\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\ExecutionPolicy -process_name:powershell*regmod' will not have a flag on the events list nor will filtering on the feed list the event. The query has '-process_name:powershell.exe' while the event just has the regmod match.
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.