CB ThreatHunter: Will nested watchlists trigger alerts?
search cancel

CB ThreatHunter: Will nested watchlists trigger alerts?

book

Article ID: 285147

calendar_today

Updated On:

Products

Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Can a custom watchlist be created and subscribed to that will trigger an Alert when a separate watchlist Alerts on specific activity? i.e.
  • (watchlist_name:"Carbon Black Advanced Threats" AND -(process_name:<name>.exe OR process_name:<name>.exe))
  • ((watchlist_name:"MITRE ATT&CK - Execution" AND watchlist_name:"MITRE ATT&CK - Persistence"))

Environment

  • CB ThreatHunter Web Console: All Versions

Resolution

In the products current configuration the above examples are only able to return hits when executed on the Investigate page and not when saved in a custom watchlist.

Additional Information

If this is a desired functionality in the product, please vote on the following Idea Central feature request: CB ThreatHunter: Nested Watchlists