Current ThreatQ Version Filter
 

Data Retention Policy Bug

The ThreatQuotient team has identified a bug in ThreatQ 5x versions prior to 5.26.0 that can occur with the Data Retention Policy (DRP) when updating the associated data collection. This bug, when triggered, can cause the DRP to ignore Threat Library filters and result in the unintended deletion of system objects.

Bug Summary

If you edit the data collection intended for use with DRP and add an object-specific filter, such as Indicator Type, while viewing another object type category in the Threat Library, that object-specific filter will be ignored by the DRP and the entire Threat Library will be included in the data collection.

Scenario Example: You have a DRP data collection with Indicators type objects.

  1. You load your data collection for DRP, which consists of system Indicators.
  2. You filter your Threat Library view to Assets by clicking on the Assets option on the left-hand column.
  3. You then add a new filter to your DRP data collection: Indicator Type=IP Address and save the data collection.

Scenario Result: The result would be that the Indicator Type=IP Address filter would be ignored and all Threat Library objects will be included in the data collection sent to DRP for deletion.

Workaround

This issue is resolved in ThreatQ v5.26.0.  For users on a prior 5x release, ThreatQuotient highly recommends the following:

  • Users should disable their DRP before making any changes to its data collection.
  • When making changes to the DRP data collection, confirm that you are viewing the same object type in the Threat Library when applying object-specific filters.

    Example: If you are applying a Score filter, confirm that you are viewing the indicators category before adding the filter and saving the data collection.

  • After making your data collection changes, click on the Calculate Impact option to verify the correct objects have been selected before enabling DRP again.

Future

The ThreatQuotient team resolved this issue in ThreatQ v5.26.0. Until upgrading to this or a later release, we ask that users utilize the workaround process supplied above.

Question / Concerns

If you have any questions, or have encountered any issues regarding these bugs, reach out to our ThreatQ Support team.