Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Feed hit events not marked in Process Analysis

Feed hit events not marked in Process Analysis

Environment

  • Cb Response 6.x

Symptoms

  • Filtering by the feed facet, does not show any results even though it lists a hit
    bit9hit.png
  • When searching for an event related to a feed hit in Process Analysis, the event is not flagged as a hit

regmod_results.png

Cause

The feed is most likely a query based feed, which is not expected to have an exclamation mark next to the event. Query based feeds by their nature have IOCs that are not single indicators, for example MD5 or IP address, but are queries that may be a combination of terms, like process_name and command line. These IOCs cannot be matched to a single event in the event rows. Even if one term contains an event like regmod, the cost of isolation from the entire query is too intensive.

Similarly, feed based facets will not filter events down to find the event portion of the query. Filtering by feed name leads to 0 events on all pages because the query is not a 1 to 1 match to the query.

For example, a hit on the Advanced Threats Feed - 'regmod:software\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\ExecutionPolicy -process_name:powershell*regmod' will not have a flag on the events list nor will filtering on the feed list the event. The query has '-process_name:powershell.exe' while the event just has the regmod match.

Resolution

  1. When attempting to find an event, search for part of the feed's query in the event search
  2. If there are too many event pages by default, try narrowing down the list of events by searching for the process and event hit via Process Search.
Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎01-24-2018
Views:
610
Contributors