How often is a GTI reputation refresh is being fired on the TIE server for files that once has been introduced in the TIE DB, but had no reputation in the GTI, and has been introduced to the GTI using GetClean?
We need to refresh GTI reputation manually for files in the TIE, that hasn't returned the reputation for earlier queries, and has been delivered with the GetClean for analysis and marked Known Trusted at the end in the GTI. A manual refresh works, but why should we do it manually?
Please take a look at the below article:
How to change the GTI reputation refresh frequency for the Threat Intelligence Exchange Server
"Records that have a status of Not Available for the GTI reputation will not be refreshed."
What about those that had reported the Not Available from the GTI, and got delivered by the GetClean in a later time.
GetClean should upload the status of a file to GTI and subsequently TIE will refresh the status within an hour, if it doesn then it will be best to ask this question here:
TIE is based on the information GTI has, if a reputation is not available then there are other methods for setting them (like an enterprise reputation) but in this scenario your question is how often the TIE server pulls data from GTI, that by default is 1 hour (it can be changed with the suggested article) but if Getclean uploads information to GTI then the malware guys will be on a better position to know how long does it take for that tool to reach the GTI servers
The problem is that we get the mail confirmation that the analysis has been completed and once the manual GTI refresh is being triggered manually the reputation gets properly refreshed.
But the automatic refresh of the GTI reputation doesn't take place.
Do you suggest opening a SR in this case?
yes please so that we can take a look at the TIE logs, it will be best if you could enable GTI debug as described on the below article and then collect an MER from the TIE box: