Helix Archive Search for month of September using groupby[xxx]

When doing multiple different archive searches for two of our clients I noticed that for the month of September some of the queries that are set to groupby things like PolicyAction, UserID, etc. don’t group. I know that the events that show up in the results contain those field because I can see them, but for some reason those specified fields don’t groupby.

It’s also not just the Helix UI that is not displaying the groupings, when using the API to get the response for that archive search, the groupings aggregated field in the response is blank. When FireEye changed the way their HOT data was accessible in the month of September, I believe, did this mess up some of the database correlation/aggregation data?

Hey there!

I ran this question by one of our architects, and they said they’re not sure why this could be happening. They suggested that you send an email to support@fireeye.com as this may be code related and we’d want to track that if it is a bug.

Thanks!