[BUG] Alerts of type watchlist.hit.query.* from My Watchlists Feed Occasionally Missing ioc_attr and ioc_value Data Members

[jjfallete]

I am seeing this behaviour on: (please complete the following information):

• OS: Windows
• Carbon Black Product: CB EDR (Response)
• Python Version: 2.7

Describe the bug Some alerts from the "My Watchlists" feed_name contain neither an ioc_attr nor an ioc_value data member.

Steps to Reproduce Steps to reproduce the behavior (Provide a log message if relevant):

Create watchlist named "Suspicious Symbolic Link Write" with query:

cb.urlver=1&q=filemod:.slk AND -process_name:fakeprocess.exe AND -(path:e:\fakeprocess*\fakeprocess1.exe AND hostname:fakehost*) AND -(path:c:\program\ files*\fake\ process\ test\cb\ query\fakeprocess2.exe)

Wait for an alert to come in.

Query the alert:

cb = CbResponseAPI()
alerts = cb.select(Alert).where("status:Unresolved")
for alert in alerts:
    if 'Suspicious Symbolic Link Write' in alert.watchlist_name:
        print(str(alert))
        break

Notice neither an ioc_attr nor an ioc_value data member are present in the output.

Expected behavior ioc_attr would return with something like:

['PREPREPREprocess.exePOSTPOSTPOST']

ioc_value would return with something like:

{"index_type":"events","search_query":"cb.urlver=1&q=filemod%3A.slk%20AND%20-process_name%3Afakeprocess.exe%20AND%20-%28path%3Ae%3A%5Cfakeprocess%2A%5Cfakeprocess1.exe%20AND%20hostname%3Afakehost%2A%29%20AND%20-%28path%3Ac%3A%5Cprogram%5C%20files%2A%5Cfake%5C%20process%5C%20test%5Ccb%5C%20query%5Cfakeprocess2.exe%29"}

Screenshots N/A

Additional context N/A