Carbon Black Cloud Console: How to Identify When a Watchlist Was Disabled
search cancel

Carbon Black Cloud Console: How to Identify When a Watchlist Was Disabled

book

Article ID: 285418

calendar_today

Updated On:

Products

Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

  • Identify when a Watchlist was enabled/disabled
  • Identify when a Watchlist was edited
  • Identify who enabled/disabled a Watchlist

Environment

  • Carbon Black Cloud Console: All Versions

Resolution

There are two steps needed to identify when and who disabled a Watchlist
  1. Get the watchlist Id's as part of the URL
    1. click on the watchlist under watchlist page.
    2.  Observe in the URL:  
      1. https://defense-prod05.conferdeploy.net/enforce/watchlists/<ID>
  2. Search Audit log for the watchlist_id
    1. Sort by All Time
  3. Watchlists that were edited or disabled will appear
Powered by Wolken Software