CB Response: Why is a watchlist entry showing under the API tab rather than the watchlist tab in the HUD Query Duration widget?

search cancel

CB Response: Why is a watchlist entry showing under the API tab rather than the watchlist tab in the HUD Query Duration widget?

book

Article ID: 288186

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Why is a watchlist entry showing under the API tab rather than the watchlist tab in the HUD Query Duration widget?

Environment

CB Response Server: 6.4.0 and later
CB Response Sensor: All versions

Resolution

The origin of the query is from the API job that includes a watchlist search.

Additional Information

Here is an example query using "watchlist_196":

| 699 | 2017-11-04 06:51:16.459+00 | | api 
+(parent_name:? +parent_name:? +process_name:? -SameCoreJoinQuery [fromQuery=childproc_name:?, fromField=id, toField=id, scoreMode=None] +os_type:?) +(+last_server_update:[? TO ?] -SameCoreJoinQuery [fromQuery=watchlist_196:*, fromField=id 
, toField=id, scoreMode=None]) | 490 | 2017-11-04 06:51:16.7+00 | 3b238372-1bd2-4be5-b112-xxxxxxxxxxxxx | feed 
id:?

Feedback

thumb_up Yes

thumb_down No