Threat ID Bundle not looking at the right data?

Good afternoon,

I recently installed the Threat ID Bundle but it is not displaying the expected data. The bundle looks at the device group “SSL Servers” to pull the relevant data, however it will not display data on the certificates at all. I have verified that the device group displays this data, and can retrieve certificate data through the “SSL Servers” page.

Is there something that I should be pointing this to look at?

I have older bundles that look at the Internal_SSL_Servers application group, and they work as expected, but the new metrics don’t apply to that.

Thank you.

Hey @smlextrahop01,

Can you confirm that the Threat ID: Certificates trigger is enabled? The Threat ID bundle ships with all of the triggers disabled, and it requires you to go in and enable each of the 6 “Threat ID: …” triggers.

If not, enable it by following the link in the installation instructions on Enabling a Trigger.

Note: The bundle comes with all of the assignments included, so as long as you check the Apply included assignments checkbox when Applying the Bundle it will be assigned to the correct device groups automatically. In the case of Certificates, like you mentioned, it’s the SSL Servers device group.

1 Like

I went back and double checked and found the problem. My EDA lists multiple device groups with the “SSL Server” name, for whatever reason the dashboard chose one that didn’t include the dynamic group. When I changed the data source for the dashboard to the correct group it started showing what I was expecting to see.

Thank you for your response and making me take another look (again), that would have driven me insane!