CB ThreatHunter: Will nested watchlists trigger alerts?
search cancel

CB ThreatHunter: Will nested watchlists trigger alerts?


Article ID: 285147


Updated On:


Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)


Can a custom watchlist be created and subscribed to that will trigger an Alert when a separate watchlist Alerts on specific activity? i.e.
  • (watchlist_name:"Carbon Black Advanced Threats" AND -(process_name:<name>.exe OR process_name:<name>.exe))
  • ((watchlist_name:"MITRE ATT&CK - Execution" AND watchlist_name:"MITRE ATT&CK - Persistence"))


  • CB ThreatHunter Web Console: All Versions


In the products current configuration the above examples are only able to return hits when executed on the Investigate page and not when saved in a custom watchlist.

Additional Information

If this is a desired functionality in the product, please vote on the following Idea Central feature request: CB ThreatHunter: Nested Watchlists