Our current virus alerts don’t include the virus hash. So i created a workflow that goes and gets it from the trellix log in IDR and put it in the investigation as a comment.
The workflow works fine when triggered manually by an analyst. However, if the workflow is triggered automatically by the virus alert, then it finds nothing when it search the log. Comes back with an empty array.
I thought i could fix it with a timer. I got it working on a 4 minute timer once with an EICAR file but in the wild i’ve now seen it fail with as much as a 5 minute timer.
Anyone else have experience trying to query newly created logs just after they are created and how you deal with (what appears to be) the latency problem