Carbon Black Cloud Console: How to Identify When a Watchlist Was Disabled
book
Article ID: 285418
calendar_today
Updated On:
Products
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
- Identify when a Watchlist was enabled/disabled
- Identify when a Watchlist was edited
- Identify who enabled/disabled a Watchlist
Environment
- Carbon Black Cloud Console: All Versions
Resolution
There are two steps needed to identify when and who disabled a Watchlist
- Get the watchlist Id's as part of the URL
- click on the watchlist under watchlist page.
- Observe in the URL:
-
https://defense-prod05.conferdeploy.net/enforce/watchlists/<ID>
- Search Audit log for the watchlist_id
- Sort by All Time
- Watchlists that were edited or disabled will appear
Feedback
thumb_up
Yes
thumb_down
No