CB ThreatHunter: Will nested watchlists trigger alerts?
book
Article ID: 285147
calendar_today
Updated On:
Products
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Can a custom watchlist be created and subscribed to that will trigger an Alert when a separate watchlist Alerts on specific activity? i.e.
(watchlist_name:"Carbon Black Advanced Threats" AND -(process_name:<name>.exe OR process_name:<name>.exe))
((watchlist_name:"MITRE ATT&CK - Execution" AND watchlist_name:"MITRE ATT&CK - Persistence"))
Environment
CB ThreatHunter Web Console: All Versions
Resolution
In the products current configuration the above examples are only able to return hits when executed on the Investigate page and not when saved in a custom watchlist.
Additional Information
If this is a desired functionality in the product, please vote on the following Idea Central feature request: CB ThreatHunter: Nested Watchlists